#define CRED_FLAG_RESOLVED 0x00100000
#define CRED_FLAG_TARGET 0x00200000
#define CRED_FLAG_CERTIFICATE 0x00400000
+#define CRED_FLAG_CONFIG_BLOB 0x00800000
#define CRED_FLAG_PUBLIC_MASK 0x0000FFFF
#ifdef HAVE_HEIMDAL_VERSION
#define CTX_FLAG_EAP_ALT_REJECT 0x01000000
#define CTX_FLAG_EAP_MASK 0xFFFF0000
+#define CONFIG_BLOB_CLIENT_CERT 0
+#define CONFIG_BLOB_PRIVATE_KEY 1
+#define CONFIG_BLOB_MAX 2
+
struct gss_eap_initiator_ctx {
unsigned int idleWhile;
struct eap_peer_config eapPeerConfig;
struct eap_sm *eap;
struct wpabuf reqData;
+ struct wpa_config_blob configBlobs[CONFIG_BLOB_MAX];
};
#ifdef GSSEAP_ENABLE_ACCEPTOR
}
static const struct wpa_config_blob *
-peerGetConfigBlob(void *ctx GSSEAP_UNUSED,
- const char *name GSSEAP_UNUSED)
+peerGetConfigBlob(void *ctx,
+ const char *name)
{
- return NULL;
+ gss_ctx_id_t gssCtx = (gss_ctx_id_t)ctx;
+ size_t index;
+
+ if (strcmp(name, "client-cert") == 0)
+ index = CONFIG_BLOB_CLIENT_CERT;
+ else if (strcmp(name, "private-key") == 0)
+ index = CONFIG_BLOB_PRIVATE_KEY;
+ else
+ return NULL;
+
+ return &gssCtx->initiatorCtx.configBlobs[index];
}
static void
OM_uint32 major;
krb5_context krbContext;
struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
+ struct wpa_config_blob *configBlobs = ctx->initiatorCtx.configBlobs;
gss_buffer_desc identity = GSS_C_EMPTY_BUFFER;
gss_buffer_desc realm = GSS_C_EMPTY_BUFFER;
gss_cred_id_t cred = ctx->cred;
eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
if (cred->flags & CRED_FLAG_CERTIFICATE) {
- eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value;
- eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value;
+ /*
+ * CRED_FLAG_CONFIG_BLOB is an internal flag which will be used in the
+ * future to directly pass certificate and private key data to the
+ * EAP implementation, rather than an indirected string pointer.
+ */
+ if (cred->flags & CRED_FLAG_CONFIG_BLOB) {
+ eapPeerConfig->client_cert = (unsigned char *)"blob://client-cert";
+ configBlobs[CONFIG_BLOB_CLIENT_CERT].data = cred->clientCertificate.value;
+ configBlobs[CONFIG_BLOB_CLIENT_CERT].len = cred->clientCertificate.length;
+
+ eapPeerConfig->client_cert = (unsigned char *)"blob://private-key";
+ configBlobs[CONFIG_BLOB_PRIVATE_KEY].data = cred->clientCertificate.value;
+ configBlobs[CONFIG_BLOB_PRIVATE_KEY].len = cred->privateKey.length;
+ } else {
+ eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value;
+ eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value;
+ }
eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value;
}