Luke Howard [Tue, 2 Apr 2013 05:48:02 +0000 (16:48 +1100)]
Chbind cleanups
* indentation
* don't use non-booleans as truth values
* consistent cleanup handling
* improved variable names
Sam Hartman [Tue, 26 Mar 2013 00:25:22 +0000 (20:25 -0400)]
ttls: defer METHOD_DONE if cb pending
Allow a round trip including CB response.
Sam Hartman [Mon, 25 Mar 2013 20:19:36 +0000 (16:19 -0400)]
ttls: chbind_hdr is packed
Sam Hartman [Fri, 22 Mar 2013 19:39:43 +0000 (15:39 -0400)]
libeap: Use AM_CFLAGS not CFLAGS
Sam Hartman [Fri, 22 Mar 2013 18:01:23 +0000 (14:01 -0400)]
libeap: ttls: encapsulate using RADIUS VSA
It turns out that older version of FreeRADIUS will fail if they
receive a diameter VSA not in their dictionary. A RADIUS VSA is fine
though. This does not comply with the TTLS spec, but is the best we
can do in terms of interoperability, so do that.
Sam Hartman [Fri, 22 Mar 2013 17:13:28 +0000 (13:13 -0400)]
libeap: use attribute 135 not 134 for ttls chbind
Sam hartman [Tue, 19 Mar 2013 18:04:27 +0000 (14:04 -0400)]
chbind: use IETF attributes
Use non-VSA IETF attributes for channel binding. Also, permit more
attributes in response than request.
Kevin Wasserman [Fri, 17 Feb 2012 19:30:56 +0000 (14:30 -0500)]
Set GSS_C_MUTUAL_FLAG only on successful channel binding.
Previously, GSS_C_MUTUAL_FLAG was always set in the initiator context;
CTX_FLAG_EAP_CHBIND_ACCEPT was also set on successful channel binding.
Then GSS_C_MUTUAL_FLAG was properly specified in the return flags to
gssEapInitSecContext() depending on whether CTX_FLAG_EAP_CHBIND was set,
but eapGssSmInitGssFlags() was improperly sending GSS_C_MUTUAL_FLAG to
the acceptor even when no channel binding had occured.
Kevin Wasserman [Wed, 15 Feb 2012 20:22:26 +0000 (15:22 -0500)]
Fix bug in eap_ttls_avp_encapsulate() when >248 bytes are encapsulated.
src pointer wasn't being advanced, so the first 248 bytes were duplicated
in place of the remainder of the message.
Kevin Wasserman [Fri, 17 Feb 2012 20:09:28 +0000 (15:09 -0500)]
Eap channel bindings cleanup
Simplify radius buffer construction and parse service-specifics correctly.
Kevin Wasserman [Fri, 10 Feb 2012 16:51:12 +0000 (11:51 -0500)]
Simplify and document radius_utils.c and radius_utils.h
Kevin Wasserman [Wed, 8 Feb 2012 15:33:29 +0000 (10:33 -0500)]
Fix libeap/src/utils/common.h to support windows+ipv6.
Use winsock2.h + ws2tcpip.h instead of winsock.h
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
Sam hartman [Sun, 5 Feb 2012 22:33:23 +0000 (22:33 +0000)]
Fix pointer signedness issues
Kevin Wasserman [Sun, 5 Feb 2012 20:56:00 +0000 (15:56 -0500)]
Eap channel bindings fixes
Only specify GSS_C_MUTUAL_FLAG return flag on successful eap channel
binding.
Kevin Wasserman [Thu, 2 Feb 2012 21:32:50 +0000 (16:32 -0500)]
EAP Channel binding
Kevin Wasserman [Sun, 5 Feb 2012 20:45:19 +0000 (15:45 -0500)]
eap channel bindings: use ukerna vsa to encapsulate ttls chbind messages.
Kevin Wasserman [Thu, 2 Feb 2012 12:44:29 +0000 (07:44 -0500)]
eap channel binding support.
Kevin Wasserman [Tue, 20 Dec 2011 16:40:30 +0000 (11:40 -0500)]
channel binding WIP: add chbind_data, chbind_data_len to eap_peer_config
Sam Hartman [Tue, 24 Jan 2012 17:39:42 +0000 (12:39 -0500)]
Bump spec version
Sam Hartman [Tue, 3 Jan 2012 20:41:17 +0000 (15:41 -0500)]
Initializeshib resolver before opensaml so catalog path is set
Sam Hartman [Tue, 24 Jan 2012 17:38:03 +0000 (12:38 -0500)]
util_moonshot.c: Handle empty strings in trust anchor arguments.
Sam Hartman [Wed, 18 Jan 2012 00:27:48 +0000 (19:27 -0500)]
Treat empty cert hash as NULL (LP: #917956)
Sam Hartman [Tue, 3 Jan 2012 16:56:17 +0000 (11:56 -0500)]
Merge remote-tracking branch 'origin/master'
Pete Fotheringham [Mon, 2 Jan 2012 18:33:40 +0000 (18:33 +0000)]
Automated builds and creation fo installer package and disk image works
Luke Howard [Mon, 12 Dec 2011 09:30:38 +0000 (20:30 +1100)]
Revert "InitOnceExecuteOnce not present on XP"
This reverts commit
061ae16ba14ef7a70bdb4741a1e04ced4d5d7b09.
There is still a race in this lockless one-time initialization which
could cause an assertion failure. Until we decide whether XP support
for the acceptor is required, back this out.
Luke Howard [Sat, 10 Dec 2011 09:39:17 +0000 (20:39 +1100)]
InitOnceExecuteOnce not present on XP
Luke Howard [Sat, 10 Dec 2011 23:57:48 +0000 (10:57 +1100)]
Merge branch 'master' of ssh://moonshot.suchdamage.org:822/srv/git/moonshot
Luke Howard [Thu, 1 Dec 2011 03:19:18 +0000 (14:19 +1100)]
add MS-Windows-Group-Sid
Pete Fotheringham [Wed, 30 Nov 2011 18:33:33 +0000 (18:33 +0000)]
Merge branch 'master' of project-moonshot.org/git/moonshot
Conflicts:
moonshot/mech_eap/Makefile.am
Pete Fotheringham [Wed, 30 Nov 2011 17:31:26 +0000 (17:31 +0000)]
Link against the Kerberos library in /usr/local instead of the version in /usr
Luke Howard [Mon, 28 Nov 2011 15:01:39 +0000 (02:01 +1100)]
Revert "Support EAP-TLS in Moonshot (requires OpenSSL)"
This reverts commit
2ef42df0ecea8745a678fe26ff9b16072b93586b.
Luke Howard [Mon, 28 Nov 2011 15:01:34 +0000 (02:01 +1100)]
Revert "remember to duplicate clientCertificate"
This reverts commit
0bde9b2ad5a4a36f745f1c91e9155edb337922b8.
Luke Howard [Mon, 28 Nov 2011 15:01:28 +0000 (02:01 +1100)]
Revert "Allow certificate/private key to contain binary data"
This reverts commit
6196f93aaca970f23276407af0812179c51a29ea.
Luke Howard [Thu, 17 Nov 2011 11:15:47 +0000 (22:15 +1100)]
NFSv4 patch from Daniel Kouril
Luke Howard [Thu, 17 Nov 2011 09:34:12 +0000 (20:34 +1100)]
Allow certificate/private key to contain binary data
Luke Howard [Thu, 17 Nov 2011 09:04:08 +0000 (20:04 +1100)]
remember to duplicate clientCertificate
Luke Howard [Thu, 17 Nov 2011 08:33:22 +0000 (19:33 +1100)]
Support EAP-TLS in Moonshot (requires OpenSSL)
Luke Howard [Thu, 17 Nov 2011 08:32:47 +0000 (19:32 +1100)]
Merge branch 'moonshot' of ssh://moonshot.suchdamage.org:822/srv/git/libeap into moonshot
Conflicts:
Makefile.am
Luke Howard [Thu, 17 Nov 2011 05:37:06 +0000 (16:37 +1100)]
link against OpenSSL backend
Luke Howard [Sat, 22 Oct 2011 02:38:51 +0000 (13:38 +1100)]
wrap gssQueryMechanismInfo
Luke Howard [Fri, 21 Oct 2011 03:51:09 +0000 (14:51 +1100)]
Merge branch 'master' of ssh://moonshot.suchdamage.org:822/srv/git/moonshot
Luke Howard [Fri, 21 Oct 2011 03:50:05 +0000 (14:50 +1100)]
Fix for building without acceptor
Sam Hartman [Thu, 13 Oct 2011 13:55:00 +0000 (09:55 -0400)]
Fix merge conflict
Sam hartman [Mon, 10 Oct 2011 13:46:46 +0000 (14:46 +0100)]
Add freeradius to rpath; disable ui integration from spec for now
Sam hartman [Sat, 8 Oct 2011 14:54:59 +0000 (15:54 +0100)]
Spec file update
Sam hartman [Fri, 16 Sep 2011 18:56:38 +0000 (19:56 +0100)]
Update libeap to include make dist
Sam hartman [Fri, 16 Sep 2011 18:41:51 +0000 (19:41 +0100)]
make dist: distribute sources
Distribute headers so that make dist works
Include headers in built sources to fix dependencies for parallel builds
Distribute exports files and require that the resulting library depend on them
Luke Howard [Fri, 7 Oct 2011 14:39:32 +0000 (01:39 +1100)]
Don't fail if password supplied by caller
If the libmoonshot or static (file-based) identity resolver fails, and
the caller provided a password via gss_acquire_cred_with_password(), then
resolving the credential should not fail.
Luke Howard [Fri, 7 Oct 2011 07:06:57 +0000 (18:06 +1100)]
fix incorrect reauth cred assert check
Luke Howard [Thu, 6 Oct 2011 10:34:10 +0000 (21:34 +1100)]
note about whether initiator cred lock is required
Luke Howard [Thu, 6 Oct 2011 10:29:55 +0000 (21:29 +1100)]
remove unnecessary cred lock in acceptor
Luke Howard [Wed, 5 Oct 2011 07:47:39 +0000 (18:47 +1100)]
allow building without libmoonshot
Luke Howard [Wed, 5 Oct 2011 02:22:38 +0000 (13:22 +1100)]
poke buildbot
Luke Howard [Wed, 5 Oct 2011 02:07:47 +0000 (13:07 +1100)]
initialize major in gss_query_meta_data
Luke Howard [Wed, 5 Oct 2011 01:56:19 +0000 (12:56 +1100)]
Merge branch 'master' into negoex
Luke Howard [Mon, 3 Oct 2011 23:22:14 +0000 (10:22 +1100)]
NegoEx SPIs
Luke Howard [Thu, 22 Sep 2011 09:24:09 +0000 (19:24 +1000)]
check radsec config when acquiring acceptor cred
Luke Howard [Tue, 20 Sep 2011 13:44:28 +0000 (23:44 +1000)]
note gssEapAcquireCred should validate RADIUS config
Luke Howard [Tue, 20 Sep 2011 02:21:43 +0000 (12:21 +1000)]
Fix regression where error tokens were not being sent
Luke Howard [Mon, 19 Sep 2011 12:49:16 +0000 (22:49 +1000)]
Add GSSEAP_NO_LOCAL_MAPPING error
Luke Howard [Mon, 19 Sep 2011 08:58:52 +0000 (18:58 +1000)]
use krb5_auth_con_setlocalsubkey on Heimdal
Luke Howard [Sun, 18 Sep 2011 03:39:51 +0000 (13:39 +1000)]
Add CRED_FLAG_TARGET
Set a flag indicating whether the credential has been bound to a service
Luke Howard [Sat, 17 Sep 2011 09:25:16 +0000 (19:25 +1000)]
Simplify verify_mic path
Allow verify_mic, wrapped on top of the IOV routines, to pass in a single
HEADER buffer rather than needing to understand the underlying split between
header and trailer.
Luke Howard [Sat, 17 Sep 2011 07:47:01 +0000 (17:47 +1000)]
Merge branch 'master' of ssh://moonshot.suchdamage.org:822/srv/git/moonshot
Luke Howard [Sat, 17 Sep 2011 07:32:28 +0000 (17:32 +1000)]
make sure imported sec context keys correctly allocated
Luke Howard [Sat, 17 Sep 2011 06:24:53 +0000 (16:24 +1000)]
PRF/random_to_key allocation fix
MIT and Heimdal uses different allocation strategies
(caller-allocates, callee-allocates) for the same functions,
unfortunately.
Conflicts:
moonshot/mech_eap/util.h
Luke Howard [Fri, 16 Sep 2011 23:46:06 +0000 (09:46 +1000)]
use calloc to match with Heimdal (heim_alloc not exported)
Luke Howard [Sat, 17 Sep 2011 06:17:57 +0000 (16:17 +1000)]
create TLD on-demand for threads started pre-DLL load
Conflicts:
moonshot/mech_eap/util_tld.c
Luke Howard [Fri, 16 Sep 2011 22:10:21 +0000 (08:10 +1000)]
more cleanup of TLD
Luke Howard [Fri, 16 Sep 2011 21:49:44 +0000 (07:49 +1000)]
general cleanup of TLD init
Sam hartman [Fri, 16 Sep 2011 18:56:45 +0000 (19:56 +0100)]
mech_eap.spec: new redhat packaging
Add build infrastructure to generate spec file.
Sam hartman [Fri, 16 Sep 2011 18:56:38 +0000 (19:56 +0100)]
Update libeap to include make dist
Sam hartman [Fri, 16 Sep 2011 18:43:04 +0000 (19:43 +0100)]
Fix unused variable in non-acceptor mode
Sam hartman [Fri, 16 Sep 2011 18:41:51 +0000 (19:41 +0100)]
make dist: distribute sources
Distribute headers so that make dist works
Include headers in built sources to fix dependencies for parallel builds
Distribute exports files and require that the resulting library depend on them
Sam hartman [Fri, 16 Sep 2011 18:40:41 +0000 (19:40 +0100)]
make dist: distribute sources
Distribute enough sources that a tar includes a set sufficient to build
Sam hartman [Fri, 16 Sep 2011 15:17:53 +0000 (16:17 +0100)]
Makefile: build fixes
mech_eap_la_CFLAGS was multiply defined.
Also, disable-acceptor sources were set incorrectly.
Sam hartman [Fri, 16 Sep 2011 15:16:28 +0000 (16:16 +0100)]
configure: GNU_SOURCE is redundant
You only want either use_extensions or gnu_source. use_extensions is
the modern preferred way to enable gnu_source.
This commit fixes a lot of useless warnings at autoreconf time.
Sam Hartman [Fri, 16 Sep 2011 15:13:03 +0000 (16:13 +0100)]
configure: support krb5 --with-system-et
If the system et and compile_et are used, then compile_et may not be
in the krb5 directory; support this.
Luke Howard [Fri, 16 Sep 2011 14:02:34 +0000 (00:02 +1000)]
More careful matching of alloc/free functions
Luke Howard [Fri, 16 Sep 2011 06:14:48 +0000 (16:14 +1000)]
use GSSEAP_ASSERT macro instead of assert
Luke Howard [Fri, 16 Sep 2011 05:37:50 +0000 (15:37 +1000)]
don't release TLS data in DLL_PROCESS_DETACH
Luke Howard [Fri, 16 Sep 2011 05:02:31 +0000 (15:02 +1000)]
Don't assert fail on Windows if mech does not init
Luke Howard [Thu, 15 Sep 2011 09:19:35 +0000 (19:19 +1000)]
include Windows-specific GSS flags in flags token
Luke Howard [Wed, 14 Sep 2011 15:23:42 +0000 (01:23 +1000)]
Windows acceptor build fixes
Windows will require C++ clean FreeRADIUS headers
another Windows acceptor-side fix
Conflicts:
moonshot/mech_eap/util.h
Luke Howard [Wed, 14 Sep 2011 07:30:06 +0000 (17:30 +1000)]
make gssEapImportContext un-static for other internal consumers
Luke Howard [Wed, 14 Sep 2011 06:38:55 +0000 (16:38 +1000)]
add gssEapPseudoRandom for internal consumers
Luke Howard [Wed, 14 Sep 2011 06:12:34 +0000 (16:12 +1000)]
Merge remote-tracking branch 'origin/windows'
Luke Howard [Wed, 14 Sep 2011 06:11:37 +0000 (16:11 +1000)]
Merge branch 'windows'
Conflicts:
moonshot/configure.ac
moonshot/mech_eap/Makefile.am
moonshot/mech_eap/accept_sec_context.c
moonshot/mech_eap/acquire_cred.c
moonshot/mech_eap/add_cred.c
moonshot/mech_eap/add_cred_with_password.c
moonshot/mech_eap/canonicalize_name.c
moonshot/mech_eap/compare_name.c
moonshot/mech_eap/context_time.c
moonshot/mech_eap/delete_name_attribute.c
moonshot/mech_eap/delete_sec_context.c
moonshot/mech_eap/display_name.c
moonshot/mech_eap/display_name_ext.c
moonshot/mech_eap/display_status.c
moonshot/mech_eap/duplicate_name.c
moonshot/mech_eap/eap_mech.c
moonshot/mech_eap/export_name.c
moonshot/mech_eap/export_name_composite.c
moonshot/mech_eap/export_sec_context.c
moonshot/mech_eap/get_mic.c
moonshot/mech_eap/get_name_attribute.c
moonshot/mech_eap/gssapiP_eap.h
moonshot/mech_eap/import_name.c
moonshot/mech_eap/import_sec_context.c
moonshot/mech_eap/indicate_mechs.c
moonshot/mech_eap/init_sec_context.c
moonshot/mech_eap/inquire_attrs_for_mech.c
moonshot/mech_eap/inquire_context.c
moonshot/mech_eap/inquire_cred.c
moonshot/mech_eap/inquire_cred_by_oid.c
moonshot/mech_eap/inquire_mech_for_saslname.c
moonshot/mech_eap/inquire_mechs_for_name.c
moonshot/mech_eap/inquire_name.c
moonshot/mech_eap/inquire_names_for_mech.c
moonshot/mech_eap/inquire_saslname_for_mech.c
moonshot/mech_eap/inquire_sec_context_by_oid.c
moonshot/mech_eap/map_name_to_any.c
moonshot/mech_eap/process_context_token.c
moonshot/mech_eap/pseudo_random.c
moonshot/mech_eap/release_any_name_mapping.c
moonshot/mech_eap/release_cred.c
moonshot/mech_eap/release_name.c
moonshot/mech_eap/set_name_attribute.c
moonshot/mech_eap/set_sec_context_option.c
moonshot/mech_eap/store_cred.c
moonshot/mech_eap/unwrap.c
moonshot/mech_eap/unwrap_iov.c
moonshot/mech_eap/util.h
moonshot/mech_eap/util_context.c
moonshot/mech_eap/util_cred.c
moonshot/mech_eap/util_krb.c
moonshot/mech_eap/util_name.c
moonshot/mech_eap/util_tld.c
moonshot/mech_eap/verify_mic.c
moonshot/mech_eap/wrap.c
moonshot/mech_eap/wrap_iov.c
moonshot/mech_eap/wrap_iov_length.c
moonshot/mech_eap/wrap_size_limit.c
Luke Howard [Wed, 14 Sep 2011 05:16:24 +0000 (15:16 +1000)]
implement gssEapSetCredService
Sam Hartman [Wed, 14 Sep 2011 00:26:03 +0000 (20:26 -0400)]
Build fixes for non-Windows
Luke Howard [Tue, 13 Sep 2011 07:16:39 +0000 (17:16 +1000)]
avoid too many reallocs when parsing tokens
Luke Howard [Tue, 13 Sep 2011 07:01:56 +0000 (17:01 +1000)]
restore inquire_name, regressed in earlier commit
Luke Howard [Tue, 13 Sep 2011 06:39:22 +0000 (16:39 +1000)]
separate gss_display_status into inner/outer APIs
Luke Howard [Tue, 13 Sep 2011 06:37:15 +0000 (16:37 +1000)]
no vasprintf() on Win32
Luke Howard [Tue, 13 Sep 2011 06:28:51 +0000 (16:28 +1000)]
call eap_mech constructors from DllMain
Luke Howard [Tue, 13 Sep 2011 06:27:28 +0000 (16:27 +1000)]
fix signedness on krb5_data data member
(at least for MIT)
Luke Howard [Tue, 13 Sep 2011 05:29:19 +0000 (15:29 +1000)]
add GET_LAST_ERROR macro
Luke Howard [Tue, 13 Sep 2011 05:08:02 +0000 (15:08 +1000)]
cast to match signedness
Luke Howard [Tue, 13 Sep 2011 05:11:51 +0000 (15:11 +1000)]
cast void * to unsigned char * for Heimdal compat
Luke Howard [Tue, 13 Sep 2011 05:22:38 +0000 (15:22 +1000)]
more build fixes for Windows