Use AD-KDCIssued to protect RADIUS authdata. Cleanup.

[mech_eap.orig] / gssapiP_eap.h

diff --git a/gssapiP_eap.h b/gssapiP_eap.h
index 0b2e64e..846c3ed 100644 (file)
--- a/gssapiP_eap.h
+++ b/gssapiP_eap.h
@@ -42,9 +42,9 @@
 
 /* GSS includes */
 #include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
 #include <gssapi/gssapi_ext.h>
 #include "gssapi_eap.h"
-#include "util.h"
 
 /* Kerberos includes */
 #include <krb5.h>
@@ -58,16 +58,10 @@
 #include <wpabuf.h>
 #endif
 
-#ifdef __cplusplus
-struct rc_conf;
-typedef struct rc_conf rc_handle;
-
-struct value_pair;
-typedef struct value_pair VALUE_PAIR;
-#else
 #include <freeradius-client.h>
 #include <freeradius/radius.h>
-#endif
+
+#include "util.h"
 
 /* These name flags are informative and not actually used by anything yet */
 #define NAME_FLAG_NAI                       0x00000001
@@ -84,10 +78,11 @@ struct gss_name_struct {
     struct gss_eap_attr_ctx *attrCtx;
 };
 
-#define CRED_FLAG_INITIATE                  0x00000001
-#define CRED_FLAG_ACCEPT                    0x00000002
-#define CRED_FLAG_DEFAULT_IDENTITY          0x00000004
-#define CRED_FLAG_PASSWORD                  0x00000008
+#define CRED_FLAG_INITIATE                  0x00010000
+#define CRED_FLAG_ACCEPT                    0x00020000
+#define CRED_FLAG_DEFAULT_IDENTITY          0x00040000
+#define CRED_FLAG_PASSWORD                  0x00080000
+#define CRED_FLAG_PUBLIC_MASK               0x0000FFFF
 
 struct gss_cred_id_struct {
     GSSEAP_MUTEX mutex;
@@ -97,17 +92,22 @@ struct gss_cred_id_struct {
     gss_OID_set mechanisms;
     time_t expiryTime;
     char *radiusConfigFile;
+    krb5_ccache krbCredCache;
+    gss_cred_id_t krbCred;
 };
 
 #define CTX_FLAG_INITIATOR                  0x00000001
+#define CTX_FLAG_KRB_REAUTH_GSS             0x00000002
 
 #define CTX_IS_INITIATOR(ctx)               (((ctx)->flags & CTX_FLAG_INITIATOR) != 0)
 
 enum gss_eap_state {
     EAP_STATE_IDENTITY = 0,
     EAP_STATE_AUTHENTICATE,
-    EAP_STATE_GSS_CHANNEL_BINDINGS,
-    EAP_STATE_ESTABLISHED
+    EAP_STATE_EXTENSIONS_REQ,
+    EAP_STATE_EXTENSIONS_RESP,
+    EAP_STATE_ESTABLISHED,
+    EAP_STATE_KRB_REAUTH_GSS
 };
 
 #define CTX_IS_ESTABLISHED(ctx)             ((ctx)->state == EAP_STATE_ESTABLISHED)
@@ -135,7 +135,9 @@ struct gss_eap_initiator_ctx {
 
 struct gss_eap_acceptor_ctx {
     rc_handle *radHandle;
+    int lastStatus;
     VALUE_PAIR *avps;
+    gss_buffer_desc state;
 };
 
 struct gss_ctx_id_struct {
@@ -157,6 +159,8 @@ struct gss_ctx_id_struct {
         #define initiatorCtx         ctxU.initiator
         struct gss_eap_acceptor_ctx  acceptor;
         #define acceptorCtx          ctxU.acceptor
+        gss_ctx_id_t                 kerberos;
+        #define kerberosCtx          ctxU.kerberos
     } ctxU;
 };
 
@@ -189,4 +193,24 @@ gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status,
                         int iov_count,
                         enum gss_eap_token_type toktype);
 
+OM_uint32
+gssEapWrapIovLength(OM_uint32 *minor,
+                    gss_ctx_id_t ctx,
+                    int conf_req_flag,
+                    gss_qop_t qop_req,
+                    int *conf_state,
+                    gss_iov_buffer_desc *iov,
+                    int iov_count);
+OM_uint32
+gssEapWrap(OM_uint32 *minor,
+           gss_ctx_id_t ctx,
+           int conf_req_flag,
+           gss_qop_t qop_req,
+           gss_buffer_t input_message_buffer,
+           int *conf_state,
+           gss_buffer_t output_message_buffer);
+
+unsigned char
+rfc4121Flags(gss_ctx_id_t ctx, int receiving);
+
 #endif /* _GSSAPIP_EAP_H_ */