#include <assert.h>
#include <string.h>
#include <errno.h>
+#ifdef HAVE_UNISTD_H
#include <unistd.h>
+#endif
+#ifdef HAVE_STDLIB_H
#include <stdlib.h>
+#endif
+#ifdef HAVE_STDARG_H
#include <stdarg.h>
+#endif
#include <time.h>
+#ifdef HAVE_SYS_PARAM_H
#include <sys/param.h>
+#endif
/* GSS headers */
#include <gssapi/gssapi.h>
#endif
#include "gssapi_eap.h"
+#ifndef HAVE_GSS_INQUIRE_ATTRS_FOR_MECH
+typedef const gss_OID_desc *gss_const_OID;
+#endif
+
/* Kerberos headers */
#include <krb5.h>
/* EAP headers */
+#include <includes.h>
#include <common.h>
#include <eap_peer/eap.h>
#include <eap_peer/eap_config.h>
#include <wpabuf.h>
/* FreeRADIUS headers */
+#ifdef GSSEAP_ENABLE_ACCEPTOR
#ifdef __cplusplus
extern "C" {
#define operator fr_operator
#undef operator
}
#endif
+#endif /* GSSEAP_ENABLE_ACCEPTOR */
#include "gsseap_err.h"
#include "radsec_err.h"
OM_uint32 flags;
gss_OID mechanismUsed; /* this is immutable */
krb5_principal krbPrincipal; /* this is immutable */
+#ifdef GSSEAP_ENABLE_ACCEPTOR
struct gss_eap_attr_ctx *attrCtx;
+#endif
};
#define CRED_FLAG_INITIATE 0x00010000
#define CRED_FLAG_ACCEPT 0x00020000
-#define CRED_FLAG_DEFAULT_IDENTITY 0x00040000
-#define CRED_FLAG_PASSWORD 0x00080000
-#define CRED_FLAG_DEFAULT_CCACHE 0x00100000
+#define CRED_FLAG_PASSWORD 0x00040000
+#define CRED_FLAG_DEFAULT_CCACHE 0x00080000
+#define CRED_FLAG_RESOLVED 0x00100000
#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF
#ifdef HAVE_HEIMDAL_VERSION
GSSEAP_MUTEX mutex;
OM_uint32 flags;
gss_name_t name;
+ gss_name_t target; /* for initiator */
gss_buffer_desc password;
gss_OID_set mechanisms;
time_t expiryTime;
- char *radiusConfigFile;
- char *radiusConfigStanza;
+ gss_buffer_desc radiusConfigFile;
+ gss_buffer_desc radiusConfigStanza;
+ gss_buffer_desc caCertificate;
+ gss_buffer_desc subjectNameConstraint;
+ gss_buffer_desc subjectAltNameConstraint;
#ifdef GSSEAP_ENABLE_REAUTH
krb5_ccache krbCredCache;
gss_cred_id_t reauthCred;
struct wpabuf reqData;
};
+#ifdef GSSEAP_ENABLE_ACCEPTOR
struct gss_eap_acceptor_ctx {
struct rs_context *radContext;
struct rs_connection *radConn;
gss_buffer_desc state;
VALUE_PAIR *vps;
};
+#endif
#ifdef HAVE_HEIMDAL_VERSION
struct gss_ctx_id_t_desc_struct
time_t expiryTime;
uint64_t sendSeq, recvSeq;
void *seqState;
- gss_cred_id_t defaultCred;
+ gss_cred_id_t cred;
union {
struct gss_eap_initiator_ctx initiator;
#define initiatorCtx ctxU.initiator
+#ifdef GSSEAP_ENABLE_ACCEPTOR
struct gss_eap_acceptor_ctx acceptor;
#define acceptorCtx ctxU.acceptor
+#endif
#ifdef GSSEAP_ENABLE_REAUTH
gss_ctx_id_t reauth;
#define reauthCtx ctxU.reauth
#endif
} ctxU;
+ const struct gss_eap_token_buffer_set *inputTokens;
+ const struct gss_eap_token_buffer_set *outputTokens;
};
#define TOK_FLAG_SENDER_IS_ACCEPTOR 0x01
#define KEY_USAGE_INITIATOR_SEAL 24
#define KEY_USAGE_INITIATOR_SIGN 25
+/* accept_sec_context.c */
+OM_uint32
+gssEapAcceptSecContext(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ gss_cred_id_t cred,
+ gss_buffer_t input_token,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_name_t *src_name,
+ gss_OID *mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec,
+ gss_cred_id_t *delegated_cred_handle);
+
+/* init_sec_context.c */
+OM_uint32
+gssEapInitSecContext(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t ctx,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec);
+
/* wrap_iov.c */
OM_uint32
gssEapWrapOrGetMIC(OM_uint32 *minor,
#define IS_WIRE_ERROR(err) ((err) > GSSEAP_RESERVED && \
(err) <= GSSEAP_RADIUS_PROT_FAILURE)
+/* upper bound of RADIUS error range must be kept in sync with radsec.h */
+#define IS_RADIUS_ERROR(err) ((err) >= ERROR_TABLE_BASE_rse && \
+ (err) <= ERROR_TABLE_BASE_rse + 20)
+
/* export_sec_context.c */
OM_uint32
gssEapExportSecContext(OM_uint32 *minor,