Kevin Wasserman [Tue, 28 Apr 2015 14:34:51 +0000 (10:34 -0400)]
Update kerberos directory in win-build
updated to match location in amazon instance.
should be fixed to read from registry.
Kevin Wasserman [Tue, 14 Apr 2015 19:59:25 +0000 (15:59 -0400)]
Windows installer for mech_eap
Kevin Wasserman [Thu, 26 Feb 2015 23:17:24 +0000 (18:17 -0500)]
Fix libmoonshot detection and linking on windows
Kevin Wasserman [Thu, 26 Feb 2015 21:40:25 +0000 (16:40 -0500)]
use win-vc-env.cmd build script in win-build.cmd
Kevin Wasserman [Thu, 26 Feb 2015 21:38:08 +0000 (16:38 -0500)]
util_base64 is required for non-acceptor builds
Kevin Wasserman [Mon, 2 Feb 2015 21:19:09 +0000 (16:19 -0500)]
Utility to setup vc build env on windows
Kevin Wasserman [Mon, 2 Feb 2015 16:44:06 +0000 (11:44 -0500)]
Use libmoonshot cflags and lib path
Kevin Wasserman [Mon, 22 Dec 2014 16:37:35 +0000 (11:37 -0500)]
Clear PWD so buildbot works
Kevin Wasserman [Thu, 18 Dec 2014 20:55:08 +0000 (15:55 -0500)]
Add windows build scripts
Kevin Wasserman [Thu, 18 Dec 2014 00:18:33 +0000 (19:18 -0500)]
Add accidentally overlooked mech_eap.def.header
Kevin Wasserman [Wed, 17 Dec 2014 23:59:29 +0000 (18:59 -0500)]
Add compite_et replacement for windows
Kevin Wasserman [Tue, 16 Dec 2014 19:40:36 +0000 (14:40 -0500)]
Windows fixes for mech_eap Makefile
define CONFIG_NATIVE_WINDOWS, not CONFIG_WIN32_DEFAULTS.
hand-specify link rule on windows; libtool does not properly recognize import
libraries and is generally more trouble than it is worth.
Kevin Wasserman [Tue, 16 Dec 2014 19:37:09 +0000 (14:37 -0500)]
Only define gss_eap_attrid when needed; ensure <utility> is included
Kevin Wasserman [Tue, 16 Dec 2014 19:30:54 +0000 (14:30 -0500)]
Fixup libeap makefile for windows build
Kevin Wasserman [Tue, 16 Dec 2014 19:25:27 +0000 (14:25 -0500)]
Update krb5 library detection and make variables for windows
Currently works for mit-krb5, 32-bit.
Kevin Wasserman [Tue, 16 Dec 2014 19:16:03 +0000 (14:16 -0500)]
Include winsock2.h before openssl/x509v3.h
Kevin Wasserman [Tue, 16 Dec 2014 19:15:07 +0000 (14:15 -0500)]
Ensure abfab radius attributes are defined
Sam Hartman [Wed, 22 Oct 2014 18:20:37 +0000 (14:20 -0400)]
Use C++ destructors not finalizers
Rather than calling the attribute finalizer from a library level finalizer, do so from a C++ destructor.
Hopefully this addresses a segfault on process termination (LP: #1201939)
Sam Hartman [Wed, 22 Oct 2014 18:18:09 +0000 (14:18 -0400)]
Mech_eap: only output debugging when GSSEAP_TRACE is set
Previously we only output informational messages from libeap.
However, we also output them all the time to stdout, which is bad
because it disrupts the output of the program. Now, only output
debugging when the GSSEAP_TRACE environment variable is set. In that
case output all the libeap debugging, not just informational messages.
In addition, use secure_getenv if it is available to avoid introducing yet more issues if run in a raised privilege situation.
Sam Hartman [Tue, 16 Sep 2014 11:05:49 +0000 (07:05 -0400)]
Distribute extra files
Sam Hartman [Mon, 15 Sep 2014 19:03:57 +0000 (15:03 -0400)]
Version 0.9.2
Sam Hartman [Mon, 15 Sep 2014 19:02:41 +0000 (19:02 +0000)]
Only permit ttls
Sam Hartman [Mon, 15 Sep 2014 17:46:01 +0000 (13:46 -0400)]
Include legal notices in distribution
Sam Hartman [Thu, 31 Jul 2014 18:15:42 +0000 (14:15 -0400)]
fix typo
Sam Hartman [Thu, 31 Jul 2014 14:38:14 +0000 (10:38 -0400)]
Register new RADIUS attributes
Sam Hartman [Wed, 30 Jul 2014 22:02:37 +0000 (18:02 -0400)]
Version 0.9.1
Kevin Wasserman [Thu, 12 Jun 2014 15:09:55 +0000 (11:09 -0400)]
Treat caCertificate as base64-encoded DER rather than PEM
Openssl's pem parser is very picky and requires newlines.
Moonshot-webp eats newlines from the raw xml, requiring
hand-placed ' ' for successful parsing, which is
undersirable. So instead use mech_eap's base64Decode() to
convert caCertificate to DER.
Kevin Wasserman [Tue, 10 Jun 2014 22:11:59 +0000 (18:11 -0400)]
Avoid double-free of bio. Better error code for ca cert parsing failure.
Kevin Wasserman [Tue, 10 Jun 2014 22:05:49 +0000 (18:05 -0400)]
Correctly handle "ca-cert" in peerGetConfigBlob
Kevin Wasserman [Fri, 6 Jun 2014 12:11:03 +0000 (08:11 -0400)]
Treat caCertificate as pem contents rather than pem filename
Luke Howard [Mon, 2 Dec 2013 06:10:56 +0000 (17:10 +1100)]
take length of display_value, not value
Luke Howard [Mon, 2 Dec 2013 06:10:07 +0000 (17:10 +1100)]
gssHeaderLength redundantly initialized
Luke Howard [Mon, 2 Dec 2013 06:09:43 +0000 (17:09 +1100)]
assert name non-NULL before dereferencing
Luke Howard [Mon, 2 Dec 2013 06:09:24 +0000 (17:09 +1100)]
gss_trailerlen = 0 not used
Luke Howard [Mon, 2 Dec 2013 06:09:03 +0000 (17:09 +1100)]
zeroAndReleasePassword must be called with non-NULL buffer
Luke Howard [Mon, 2 Dec 2013 06:07:19 +0000 (17:07 +1100)]
don't set major = GSS_S_FAILURE twice
Luke Howard [Mon, 2 Dec 2013 06:04:51 +0000 (17:04 +1100)]
do not ignore sequenceCheck() return value
Luke Howard [Mon, 2 Dec 2013 06:03:50 +0000 (17:03 +1100)]
check gssEapRadiusAddAttr(REALM_NAME) return code
Luke Howard [Mon, 2 Dec 2013 06:03:36 +0000 (17:03 +1100)]
tok_type can never be -1
Sam Hartman [Wed, 27 Nov 2013 05:14:43 +0000 (00:14 -0500)]
Bump release to turn on sha256
Sam Hartman [Wed, 20 Nov 2013 14:06:52 +0000 (09:06 -0500)]
libeap: enable sha256
Sam Hartman [Tue, 26 Nov 2013 13:07:10 +0000 (08:07 -0500)]
Bump specfile version
Sam Hartman [Tue, 26 Nov 2013 13:05:37 +0000 (08:05 -0500)]
libeap: ignore TLS errors before any TLS calls
Ignore any errors that take place before the packet is started.
Sam Hartman [Mon, 25 Nov 2013 14:23:40 +0000 (09:23 -0500)]
bump release
Sam Hartman [Thu, 21 Nov 2013 18:27:52 +0000 (13:27 -0500)]
util:name: 1 component principals can be services too
accept_sec_context.c: Only add hostname if we have one
Sam Hartman [Mon, 11 Nov 2013 19:52:11 +0000 (14:52 -0500)]
specfile: new release
Kevin Wasserman [Mon, 11 Nov 2013 12:09:39 +0000 (07:09 -0500)]
Fix logic for parsing princ components (LP 1249863)
Avoid segfault when missing acceptor realm.
Sam Hartman [Mon, 28 Oct 2013 18:16:59 +0000 (14:16 -0400)]
specfile: %post handles /etc/gss/mech
Sam Hartman [Mon, 28 Oct 2013 17:31:54 +0000 (13:31 -0400)]
Temporary: set mutual in flags token
Force mutual flag on the context prior to sending the flags token until channel binding is better deployed.
Sam Hartman [Mon, 28 Oct 2013 17:21:25 +0000 (13:21 -0400)]
setting flags in verify MIC too late
We've been force setting mutual authentication in the verify mic SM callback. We need to set mutual authentication prior to sending the flags token.
Sam Hartman [Fri, 11 Oct 2013 14:03:40 +0000 (10:03 -0400)]
Update for another libradsec
Sam Hartman [Fri, 11 Oct 2013 12:41:32 +0000 (08:41 -0400)]
Force rebuild for rpm to pick up libmoonshot1
Sam Hartman [Thu, 10 Oct 2013 16:17:09 +0000 (12:17 -0400)]
new release
Sam Hartman [Thu, 10 Oct 2013 14:13:48 +0000 (10:13 -0400)]
Don't free parts of the principal in channel bindings (LP: #1237981 )
Sam Hartman [Wed, 9 Oct 2013 22:50:25 +0000 (23:50 +0100)]
make dist cleanups
Sam Hartman [Wed, 9 Oct 2013 20:15:19 +0000 (16:15 -0400)]
Make dist cleanup
Sam Hartman [Thu, 26 Sep 2013 15:39:16 +0000 (11:39 -0400)]
Accept NULL data in mech_eap cb response cb
Sam Hartman [Thu, 26 Sep 2013 15:34:18 +0000 (11:34 -0400)]
chbind: Always call response callback
Previously the response callback was only called if there was data for
the namespace that is registered. Now, call the callback whenever any
channel binding response is received. This permits callbacks to get
failure responses with no attributes.
Sam Hartman [Fri, 20 Sep 2013 17:04:12 +0000 (13:04 -0400)]
Merge remote-tracking branch 'origin/eap-tls'
The eap-tls branch includes build dependencies on openssl which we
need for the sha2 hash support in IDP certs. The eap-tls changes are
not widely exposed, but to the extent they are present are harmless.
Conflicts:
libeap/Makefile.am
mech_eap/Makefile.am
mech_eap/gssapiP_eap.h
mech_eap/init_sec_context.c
Sam Hartman [Fri, 20 Sep 2013 01:39:11 +0000 (21:39 -0400)]
Use service spicifics utility functions correctly
Sam Hartman [Fri, 20 Sep 2013 01:34:36 +0000 (21:34 -0400)]
remove extranious declaration
Sam Hartman [Thu, 19 Sep 2013 19:31:19 +0000 (15:31 -0400)]
temporary: force mutual
Until channel bindings are more widely deployed force mutual
authentication even if channel binding fails.
Sam Hartman [Fri, 13 Sep 2013 19:41:19 +0000 (15:41 -0400)]
EAP Channel binding support
Merge remote-tracking branch 'origin/eap-chbind'
Conflicts:
mech_eap/accept_sec_context.c
mech_eap/dictionary.ukerna
mech_eap/gsseap_err.et
mech_eap/util_radius.h
Sam Hartman [Fri, 31 May 2013 13:35:01 +0000 (09:35 -0400)]
update for another redhat build
Sam Hartman [Tue, 28 May 2013 19:06:58 +0000 (15:06 -0400)]
Update RPM release to link against libmoonshot
Sam Hartman [Wed, 8 May 2013 11:58:28 +0000 (07:58 -0400)]
Increase version for redhat because of new OID and IETF changes; this should have been done back in May
Sam Hartman [Tue, 30 Apr 2013 19:55:05 +0000 (15:55 -0400)]
Update build deps for shibboleth
Sam Hartman [Mon, 29 Apr 2013 20:26:07 +0000 (16:26 -0400)]
Support curl-openssl-devel from shibboleth in RH spec files
Sam hartman [Fri, 26 Apr 2013 21:26:29 +0000 (22:26 +0100)]
Update spec for mech_eap
Luke Howard [Thu, 18 Apr 2013 22:55:24 +0000 (18:55 -0400)]
fix build without OpenSAML
Luke Howard [Thu, 18 Apr 2013 22:45:10 +0000 (18:45 -0400)]
Reindent
Luke Howard [Thu, 18 Apr 2013 22:41:59 +0000 (18:41 -0400)]
Reindent
Sam Hartman [Thu, 4 Apr 2013 16:25:17 +0000 (12:25 -0400)]
textual identities to UI
The call to moonshot_get_identity included exported name tokens; the
interface expected C strings. Use gssEapDisplayName instead.
Sam Hartman [Thu, 20 Sep 2012 00:26:58 +0000 (20:26 -0400)]
Clarify where else comes from for code clarity
Luke Howard [Tue, 2 Apr 2013 05:48:02 +0000 (16:48 +1100)]
Chbind cleanups
* indentation
* don't use non-booleans as truth values
* consistent cleanup handling
* improved variable names
Sam Hartman [Tue, 26 Mar 2013 00:25:22 +0000 (20:25 -0400)]
ttls: defer METHOD_DONE if cb pending
Allow a round trip including CB response.
Sam Hartman [Mon, 25 Mar 2013 20:19:36 +0000 (16:19 -0400)]
ttls: chbind_hdr is packed
Sam Hartman [Fri, 22 Mar 2013 19:39:43 +0000 (15:39 -0400)]
libeap: Use AM_CFLAGS not CFLAGS
Sam Hartman [Fri, 22 Mar 2013 18:01:23 +0000 (14:01 -0400)]
libeap: ttls: encapsulate using RADIUS VSA
It turns out that older version of FreeRADIUS will fail if they
receive a diameter VSA not in their dictionary. A RADIUS VSA is fine
though. This does not comply with the TTLS spec, but is the best we
can do in terms of interoperability, so do that.
Sam Hartman [Fri, 22 Mar 2013 17:13:28 +0000 (13:13 -0400)]
libeap: use attribute 135 not 134 for ttls chbind
Sam hartman [Tue, 19 Mar 2013 18:04:27 +0000 (14:04 -0400)]
chbind: use IETF attributes
Use non-VSA IETF attributes for channel binding. Also, permit more
attributes in response than request.
Kevin Wasserman [Fri, 17 Feb 2012 19:30:56 +0000 (14:30 -0500)]
Set GSS_C_MUTUAL_FLAG only on successful channel binding.
Previously, GSS_C_MUTUAL_FLAG was always set in the initiator context;
CTX_FLAG_EAP_CHBIND_ACCEPT was also set on successful channel binding.
Then GSS_C_MUTUAL_FLAG was properly specified in the return flags to
gssEapInitSecContext() depending on whether CTX_FLAG_EAP_CHBIND was set,
but eapGssSmInitGssFlags() was improperly sending GSS_C_MUTUAL_FLAG to
the acceptor even when no channel binding had occured.
Kevin Wasserman [Wed, 15 Feb 2012 20:22:26 +0000 (15:22 -0500)]
Fix bug in eap_ttls_avp_encapsulate() when >248 bytes are encapsulated.
src pointer wasn't being advanced, so the first 248 bytes were duplicated
in place of the remainder of the message.
Kevin Wasserman [Fri, 17 Feb 2012 20:09:28 +0000 (15:09 -0500)]
Eap channel bindings cleanup
Simplify radius buffer construction and parse service-specifics correctly.
Kevin Wasserman [Fri, 10 Feb 2012 16:51:12 +0000 (11:51 -0500)]
Simplify and document radius_utils.c and radius_utils.h
Luke Howard [Thu, 13 Dec 2012 19:14:15 +0000 (20:14 +0100)]
krb5_free_unparsed_name deprecated by Heimdal
use krb5_xfree
Luke Howard [Thu, 13 Dec 2012 19:09:42 +0000 (20:09 +0100)]
krb5_free_data_contents deprecated by Heimdal
Use krb5_data_free instead
Luke Howard [Thu, 13 Dec 2012 02:27:39 +0000 (13:27 +1100)]
indentation fix
Sam Hartman [Fri, 16 Nov 2012 02:38:27 +0000 (21:38 -0500)]
Return WRONG_ACCEPTOR_NAME
Create a new error for incorrect acceptor name received from acceptor
to aid in debugging.
Luke Howard [Tue, 13 Nov 2012 05:25:20 +0000 (16:25 +1100)]
allow empty acceptor names
Luke Howard [Wed, 26 Sep 2012 07:25:22 +0000 (17:25 +1000)]
indentation fix
Luke Howard [Fri, 21 Sep 2012 19:34:11 +0000 (05:34 +1000)]
Ignore empty realms comparing acceptor name hint
Conflicts:
mech_eap/util_name.c
Luke Howard [Wed, 19 Sep 2012 12:32:42 +0000 (22:32 +1000)]
Call gssEapReleaseName not gss_release_name
we have a mech name not a union name so use the local mechanism.
Luke Howard [Wed, 19 Sep 2012 12:09:11 +0000 (22:09 +1000)]
indentation fix
Luke Howard [Wed, 19 Sep 2012 12:06:02 +0000 (22:06 +1000)]
fix indentation
Sam Hartman [Wed, 19 Sep 2012 00:45:25 +0000 (20:45 -0400)]
Call gssEapCompareName not gss_compare_name
we have a mech name not a union name so use the local mechanism.
Luke Howard [Sun, 16 Sep 2012 04:11:31 +0000 (14:11 +1000)]
remove references to PADL mechanism OIDs
Luke Howard [Sun, 16 Sep 2012 04:07:44 +0000 (14:07 +1000)]
neglected gss-eap-v1 arc in OID comment table
Luke Howard [Sun, 16 Sep 2012 03:00:04 +0000 (13:00 +1000)]
Coding style conform
Sam Hartman [Fri, 14 Sep 2012 17:18:08 +0000 (13:18 -0400)]
Update to use IETF RADIUS attributes
draft-ietf-abfab-gss-eap is approved and IANA has assigned
standardized RADIUS attributes, so these are no longer vendor
specific.
Update dictionary file to change the names of the existing attributes.