/*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
gssEapSign(krb5_context context,
krb5_cksumtype type,
size_t rrc,
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto crypto,
+#else
krb5_keyblock *key,
+#endif
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count);
gssEapVerify(krb5_context context,
krb5_cksumtype type,
size_t rrc,
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto crypto,
+#else
krb5_keyblock *key,
+#endif
krb5_keyusage sign_usage,
gss_iov_buffer_desc *iov,
int iov_count,
TOK_TYPE_EXPORT_NAME = 0x0401, /* RFC 2743 exported name */
TOK_TYPE_EXPORT_NAME_COMPOSITE = 0x0402, /* exported composite name */
TOK_TYPE_DELETE_CONTEXT = 0x0405, /* RFC 2743 delete context */
- TOK_TYPE_EAP_RESP = 0x0601, /* EAP response */
- TOK_TYPE_EAP_REQ = 0x0602, /* EAP request */
- TOK_TYPE_EXT_REQ = 0x0603, /* GSS EAP extensions request */
- TOK_TYPE_EXT_RESP = 0x0604, /* GSS EAP extensions response */
- TOK_TYPE_GSS_REAUTH = 0x0605, /* GSS EAP fast reauthentication token */
- TOK_TYPE_CONTEXT_ERR = 0x0606, /* context error */
+ TOK_TYPE_ESTABLISH_CONTEXT = 0x0601, /* establish context */
};
+/* inner token types and flags */
+#define ITOK_TYPE_NONE 0x00000000
+#define ITOK_TYPE_CONTEXT_ERR 0x00000001
+#define ITOK_TYPE_ACCEPTOR_NAME_REQ 0x00000002
+#define ITOK_TYPE_ACCEPTOR_NAME_RESP 0x00000003
+#define ITOK_TYPE_EAP_RESP 0x00000004
+#define ITOK_TYPE_EAP_REQ 0x00000005
+#define ITOK_TYPE_GSS_CHANNEL_BINDINGS 0x00000006
+#define ITOK_TYPE_REAUTH_CREDS 0x00000007
+#define ITOK_TYPE_REAUTH_REQ 0x00000008
+#define ITOK_TYPE_REAUTH_RESP 0x00000009
+
+#define ITOK_FLAG_CRITICAL 0x80000000 /* critical, wire flag */
+#define ITOK_FLAG_VERIFIED 0x40000000 /* verified, API flag */
+
+#define ITOK_TYPE_MASK (~(EXT_FLAG_CRITICAL | EXT_FLAG_VERIFIED))
+
OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx);
/* util_crypt.c */
int
gssEapEncrypt(krb5_context context, int dce_style, size_t ec,
- size_t rrc, krb5_keyblock *key, int usage, krb5_pointer iv,
+ size_t rrc,
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto crypto,
+#else
+ krb5_keyblock *key,
+#endif
+ int usage,
gss_iov_buffer_desc *iov, int iov_count);
int
gssEapDecrypt(krb5_context context, int dce_style, size_t ec,
- size_t rrc, krb5_keyblock *key, int usage, krb5_pointer iv,
+ size_t rrc,
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto crypto,
+#else
+ krb5_keyblock *key,
+#endif
+ int usage,
gss_iov_buffer_desc *iov, int iov_count);
-krb5_cryptotype
+int
gssEapMapCryptoFlag(OM_uint32 type);
gss_iov_buffer_t
krb5_enctype enctype,
krb5_keyblock *pKey);
-/* util_exts.c */
-#define EXT_FLAG_CRITICAL 0x80000000
-#define EXT_FLAG_VERIFIED 0x40000000
-
-#define EXT_TYPE_GSS_CHANNEL_BINDINGS 0x00000000
-#define EXT_TYPE_REAUTH_CREDS 0x00000001
-#define EXT_TYPE_MASK (~(EXT_FLAG_CRITICAL | EXT_FLAG_VERIFIED))
-
-struct gss_eap_extension_provider {
- OM_uint32 type;
- int critical; /* client */
- int required; /* server */
- OM_uint32 (*make)(OM_uint32 *,
- gss_cred_id_t,
- gss_ctx_id_t,
- gss_channel_bindings_t,
- gss_buffer_t);
- OM_uint32 (*verify)(OM_uint32 *,
- gss_cred_id_t,
- gss_ctx_id_t,
- gss_channel_bindings_t,
- const gss_buffer_t);
-};
+/* util_krb.c */
+#ifdef HAVE_HEIMDAL_VERSION
-OM_uint32
-gssEapMakeExtensions(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_ctx_id_t ctx,
- gss_channel_bindings_t chanBindings,
- gss_buffer_t buffer);
+#define KRB_TIME_FOREVER ((time_t)~0L)
-OM_uint32
-gssEapVerifyExtensions(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_ctx_id_t ctx,
- gss_channel_bindings_t chanBindings,
- const gss_buffer_t buffer);
+#define KRB_KEY_TYPE(key) ((key)->keytype)
+#define KRB_KEY_DATA(key) ((key)->keyvalue.data)
+#define KRB_KEY_LENGTH(key) ((key)->keyvalue.length)
+
+#define KRB_PRINC_LENGTH(princ) ((princ)->name.name_string.len)
+#define KRB_PRINC_TYPE(princ) ((princ)->name.name_type)
+#define KRB_PRINC_NAME(princ) ((princ)->name.name_string.val)
+#define KRB_PRINC_REALM(princ) ((princ)->realm)
+
+#define KRB_KT_ENT_KEYBLOCK(e) (&(e)->keyblock)
+#define KRB_KT_ENT_FREE(c, e) krb5_kt_free_entry((c), (e))
+
+#define KRB_CRYPTO_CONTEXT(ctx) (krbCrypto)
+
+#else
+
+#define KRB_TIME_FOREVER KRB5_INT32_MAX
-/* util_krb.c */
#define KRB_KEY_TYPE(key) ((key)->enctype)
#define KRB_KEY_DATA(key) ((key)->contents)
#define KRB_KEY_LENGTH(key) ((key)->length)
+
+#define KRB_PRINC_LENGTH(princ) (krb5_princ_size(NULL, (princ)))
+#define KRB_PRINC_TYPE(princ) (krb5_princ_type(NULL, (princ)))
+#define KRB_PRINC_NAME(princ) (krb5_princ_name(NULL, (princ)))
+#define KRB_PRINC_REALM(princ) (krb5_princ_realm(NULL, (princ)))
+
+#define KRB_KT_ENT_KEYBLOCK(e) (&(e)->key)
+#define KRB_KT_ENT_FREE(c, e) krb5_free_keytab_entry_contents((c), (e))
+
+#define KRB_CRYPTO_CONTEXT(ctx) (&(ctx)->rfc3961Key)
+
+#endif /* HAVE_HEIMDAL_VERSION */
+
#define KRB_KEY_INIT(key) do { \
KRB_KEY_TYPE(key) = ENCTYPE_NULL; \
KRB_KEY_DATA(key) = NULL; \
krb5_keyblock *key,
krb5_cksumtype *cksumtype);
+krb5_const_principal
+krbAnonymousPrincipal(void);
+
+krb5_error_code
+krbCryptoLength(krb5_context krbContext,
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto krbCrypto,
+#else
+ krb5_keyblock *key,
+#endif
+ int type,
+ size_t *length);
+
+krb5_error_code
+krbPaddingLength(krb5_context krbContext,
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto krbCrypto,
+#else
+ krb5_keyblock *key,
+#endif
+ size_t dataLength,
+ size_t *padLength);
+
+krb5_error_code
+krbBlockSize(krb5_context krbContext,
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto krbCrypto,
+#else
+ krb5_keyblock *key,
+#endif
+ size_t *blockSize);
+
+krb5_error_code
+krbEnctypeToString(krb5_context krbContext,
+ krb5_enctype enctype,
+ const char *prefix,
+ gss_buffer_t string);
+
+krb5_error_code
+krbMakeAuthDataKdcIssued(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_const_principal issuer,
+#ifdef HAVE_HEIMDAL_VERSION
+ const AuthorizationData *authdata,
+ AuthorizationData *adKdcIssued
+#else
+ krb5_authdata *const *authdata,
+ krb5_authdata ***adKdcIssued
+#endif
+ );
+
+krb5_error_code
+krbMakeCred(krb5_context context,
+ krb5_auth_context authcontext,
+ krb5_creds *creds,
+ krb5_data *data);
+
/* util_lucid.c */
OM_uint32
gssEapExportLucidSecContext(OM_uint32 *minor,
gss_OID *const pInternalizedOid);
OM_uint32
+gssEapReleaseOid(OM_uint32 *minor, gss_OID *oid);
+
+OM_uint32
gssEapDefaultMech(OM_uint32 *minor,
gss_OID *oid);
sequenceInit(OM_uint32 *minor, void **vqueue, uint64_t seqnum,
int do_replay, int do_sequence, int wide_nums);
+/* util_sm.c */
+struct gss_eap_sm;
+
+OM_uint32
+gssEapSmStep(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t ctx,
+ gss_name_t target,
+ gss_OID mech,
+ OM_uint32 reqFlags,
+ OM_uint32 timeReq,
+ gss_channel_bindings_t chanBindings,
+ gss_buffer_t inputToken,
+ gss_buffer_t outputToken,
+ struct gss_eap_sm *sm,
+ size_t smCount);
+
/* util_token.c */
+OM_uint32
+gssEapEncodeInnerTokens(OM_uint32 *minor,
+ gss_buffer_set_t extensions,
+ OM_uint32 *types,
+ gss_buffer_t buffer);
+OM_uint32
+gssEapDecodeInnerTokens(OM_uint32 *minor,
+ const gss_buffer_t buffer,
+ gss_buffer_set_t *pExtensions,
+ OM_uint32 **pTypes);
+
size_t
tokenSize(const gss_OID_desc *mech, size_t body_size);
}
static inline void
+krbPrincComponentToGssBuffer(krb5_principal krbPrinc,
+ int index, gss_buffer_t buffer)
+{
+#ifdef HAVE_HEIMDAL_VERSION
+ buffer->value = (void *)KRB_PRINC_NAME(krbPrinc)[index];
+ buffer->length = strlen((char *)buffer->value);
+#else
+ buffer->value = (void *)krb5_princ_component(NULL, krbPrinc, index)->data;
+ buffer->length = krb5_princ_component(NULL, krbPrinc, index)->length;
+#endif /* HAVE_HEIMDAL_VERSION */
+}
+
+static inline void
+krbPrincRealmToGssBuffer(krb5_principal krbPrinc, gss_buffer_t buffer)
+{
+#ifdef HAVE_HEIMDAL_VERSION
+ buffer->value = (void *)KRB_PRINC_REALM(krbPrinc);
+ buffer->length = strlen((char *)buffer->value);
+#else
+ krbDataToGssBuffer(KRB_PRINC_REALM(krbPrinc), buffer);
+#endif
+}
+
+static inline void
gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data)
{
data->data = (char *)buffer->value;