[submodule "jansson"]
path = jansson
url = git://github.com/akheron/jansson.git
+[submodule "firefox"]
+ path = firefox
+ url = http://www.project-moonshot.org/git/moonshot-firefox.git
for rep in *.git; do
(cd $rep&&git svn fetch)
done
+cd $module_root/radsecproxy.git
+git fetch origin
--- /dev/null
+Subproject commit 3dd30c1cb60608e936d6734b29eb9c01a67cbac6
mech_eap_la_SOURCES = \
accept_sec_context.c \
acquire_cred.c \
+ acquire_cred_ext.c \
acquire_cred_with_password.c \
add_cred.c \
add_cred_with_password.c \
inquire_attrs_for_mech.c \
inquire_context.c \
inquire_cred.c \
+ inquire_cred_by_mech.c \
inquire_cred_by_oid.c \
inquire_mech_for_saslname.c \
inquire_mechs_for_name.c \
- fix ABNF: no slash in the case where there is no host
- specify anonymous behaviour: use empty name
-
+- always intern OIDs so they never need to be freed
if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) {
major = gssEapAcquireCred(minor,
GSS_C_NO_NAME,
+ GSS_C_NO_OID,
GSS_C_NO_BUFFER,
GSS_C_INDEFINITE,
GSS_C_NO_OID_SET,
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- return gssEapAcquireCred(minor, desired_name, GSS_C_NO_BUFFER,
- time_req, desired_mechs, cred_usage,
- output_cred_handle, actual_mechs, time_rec);
+ return gssEapAcquireCred(minor,
+ desired_name,
+ GSS_C_NO_OID,
+ GSS_C_NO_BUFFER,
+ time_req,
+ desired_mechs, cred_usage,
+ output_cred_handle,
+ actual_mechs,
+ time_rec);
}
--- /dev/null
+/*
+ * Copyright (c) 2011, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Wrapper for acquiring a credential handle.
+ */
+
+#include "gssapiP_eap.h"
+
+OM_uint32
+gss_acquire_cred_ext
+ (OM_uint32 *minor,
+ const gss_name_t desired_name,
+ gss_const_OID credential_type,
+ const void *credential_data,
+ OM_uint32 time_req,
+ gss_const_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t *output_cred_handle
+ )
+{
+ OM_uint32 major;
+ gss_OID_set_desc mechs;
+
+ mechs.count = 1;
+ mechs.elements = (gss_OID)desired_mech;
+
+ major = gssEapAcquireCred(minor,
+ desired_name,
+ credential_type,
+ credential_data,
+ time_req,
+ &mechs,
+ cred_usage,
+ output_cred_handle,
+ NULL,
+ NULL);
+
+ return major;
+}
gss_OID_set *actual_mechs,
OM_uint32 *time_rec)
{
- return gssEapAcquireCred(minor, desired_name, password,
- time_req, desired_mechs, cred_usage,
- output_cred_handle, actual_mechs, time_rec);
+ return gssEapAcquireCred(minor,
+ desired_name,
+ &gssEapPasswordCredType,
+ password,
+ time_req,
+ desired_mechs,
+ cred_usage,
+ output_cred_handle,
+ actual_mechs,
+ time_rec);
}
major = gssEapAcquireCred(minor,
desired_name,
+ GSS_C_NO_OID,
GSS_C_NO_BUFFER,
time_req,
&mechs,
major = gssEapAcquireCred(minor,
desired_name,
+ &gssEapPasswordCredType,
password,
time_req,
&mechs,
error_code GSSEAP_CRED_USAGE_MISMATCH, "Credential usage does not match requested usage"
error_code GSSEAP_CRED_MECH_MISMATCH, "Credential is not usable with this mechanism"
error_code GSSEAP_CRED_EXPIRED, "Attributes indicate credentials have expired"
+error_code GSSEAP_BAD_CRED_TYPE, "Bad credential type"
error_code GSSEAP_BAD_CRED_OPTION, "Bad credential option"
error_code GSSEAP_NO_DEFAULT_IDENTITY, "Default credentials identity unavailable"
error_code GSSEAP_NO_DEFAULT_CRED, "Missing default password or other credentials"
+
#
# Wrap/unwrap/PRF errors
#
if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) {
major = gssEapAcquireCred(minor,
GSS_C_NO_NAME,
+ GSS_C_NO_OID,
GSS_C_NO_BUFFER,
time_req,
GSS_C_NO_OID_SET,
gss_OID_set *mechanisms)
{
OM_uint32 major;
- time_t now, lifetime;
if (cred == NULL) {
*minor = EINVAL;
GSSEAP_MUTEX_LOCK(&cred->mutex);
- if (name != NULL) {
- major = gssEapDuplicateName(minor, cred->name, name);
- if (GSS_ERROR(major))
- goto cleanup;
- }
-
- if (cred_usage != NULL) {
- OM_uint32 flags = (cred->flags & (CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT));
-
- switch (flags) {
- case CRED_FLAG_INITIATE:
- *cred_usage = GSS_C_INITIATE;
- break;
- case CRED_FLAG_ACCEPT:
- *cred_usage = GSS_C_ACCEPT;
- break;
- default:
- *cred_usage = GSS_C_BOTH;
- break;
- }
- }
-
- if (mechanisms != NULL) {
- if (cred->mechanisms != GSS_C_NO_OID_SET)
- major = duplicateOidSet(minor, cred->mechanisms, mechanisms);
- else
- major = gssEapIndicateMechs(minor, mechanisms);
- if (GSS_ERROR(major))
- goto cleanup;
- }
-
- if (cred->expiryTime == 0) {
- lifetime = GSS_C_INDEFINITE;
- } else {
- now = time(NULL);
- lifetime = now - cred->expiryTime;
- if (lifetime < 0)
- lifetime = 0;
- }
-
- if (pLifetime != NULL) {
- *pLifetime = lifetime;
- }
-
- if (lifetime == 0) {
- major = GSS_S_CREDENTIALS_EXPIRED;
- *minor = GSSEAP_CRED_EXPIRED;
- goto cleanup;
- }
-
- major = GSS_S_COMPLETE;
- *minor = 0;
+ major = gssEapInquireCred(minor, cred, name, pLifetime, cred_usage, mechanisms);
-cleanup:
GSSEAP_MUTEX_UNLOCK(&cred->mutex);
return major;
--- /dev/null
+/*
+ * Copyright (c) 2011, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Return credential handle properties.
+ */
+
+#include "gssapiP_eap.h"
+
+OM_uint32
+gss_inquire_cred_by_mech(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_OID mech_type,
+ gss_name_t *name,
+ OM_uint32 *pInitiatorLifetime,
+ OM_uint32 *pAcceptorLifetime,
+ gss_cred_usage_t *cred_usage)
+{
+ OM_uint32 major, lifetime;
+
+ if (cred == NULL) {
+ *minor = EINVAL;
+ return GSS_S_NO_CRED;
+ }
+
+ GSSEAP_MUTEX_LOCK(&cred->mutex);
+
+ if (!gssEapCredAvailable(cred, mech_type)) {
+ major = GSS_S_BAD_MECH;
+ *minor = GSSEAP_CRED_MECH_MISMATCH;
+ goto cleanup;
+ }
+
+ major = gssEapInquireCred(minor, cred, name, &lifetime, cred_usage, NULL);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ if (pInitiatorLifetime != NULL)
+ *pInitiatorLifetime = (cred->flags & CRED_FLAG_INITIATE) ? lifetime : 0;
+ if (pAcceptorLifetime != NULL)
+ *pAcceptorLifetime = (cred->flags & CRED_FLAG_ACCEPT) ? lifetime : 0;
+
+cleanup:
+ GSSEAP_MUTEX_UNLOCK(&cred->mutex);
+
+ return major;
+}
gss_accept_sec_context
gss_acquire_cred
+gss_acquire_cred_ext
gss_add_cred
gss_add_cred_with_password
gss_authorize_localname
gss_inquire_attrs_for_mech
gss_inquire_context
gss_inquire_cred
+gss_inquire_cred_by_mech
gss_inquire_cred_by_oid
gss_inquire_mechs_for_name
gss_inquire_mech_for_saslname
const gss_buffer_t value)
{
OM_uint32 major;
- gss_ctx_id_t ctx = *pCtx;
+ gss_ctx_id_t ctx;
int i;
major = GSS_S_UNAVAILABLE;
*minor = GSSEAP_BAD_CONTEXT_OPTION;
+ if (pCtx == NULL)
+ ctx = GSS_C_NO_CONTEXT;
+ else
+ ctx = *pCtx;
+
if (ctx != GSS_C_NO_CONTEXT)
GSSEAP_MUTEX_LOCK(&ctx->mutex);
}
}
- if (*pCtx == NULL)
+ if (pCtx != NULL && *pCtx == NULL)
*pCtx = ctx;
- else
+ else if (ctx != GSS_C_NO_CONTEXT)
GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
return major;
gss_channel_bindings_t wireBindings);
/* util_cred.c */
+extern const gss_OID_desc gssEapPasswordCredType;
+
OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
OM_uint32
gssEapAcquireCred(OM_uint32 *minor,
const gss_name_t desiredName,
- const gss_buffer_t password,
+ gss_const_OID credType,
+ const void *credData,
OM_uint32 timeReq,
const gss_OID_set desiredMechs,
int cred_usage,
int gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech);
+OM_uint32
+gssEapInquireCred(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_name_t *name,
+ OM_uint32 *pLifetime,
+ gss_cred_usage_t *cred_usage,
+ gss_OID_set *mechanisms);
+
/* util_crypt.c */
int
gssEapEncrypt(krb5_context context, int dce_style, size_t ec,
#include <pwd.h>
+const gss_OID_desc gssEapPasswordCredType =
+ { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" };
+
OM_uint32
gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred)
{
OM_uint32
gssEapAcquireCred(OM_uint32 *minor,
const gss_name_t desiredName,
- const gss_buffer_t password,
+ gss_const_OID credType,
+ const void *credData,
OM_uint32 timeReq GSSEAP_UNUSED,
const gss_OID_set desiredMechs,
int credUsage,
gss_name_t defaultIdentityName = GSS_C_NO_NAME;
gss_buffer_desc defaultCreds = GSS_C_EMPTY_BUFFER;
gss_OID nameMech = GSS_C_NO_OID;
+ gss_buffer_t password = GSS_C_NO_BUFFER;
/* XXX TODO validate with changed set_cred_option API */
*pCred = GSS_C_NO_CREDENTIAL;
+ if (credType != GSS_C_NO_OID) {
+ if (oidEqual(credType, &gssEapPasswordCredType)) {
+ password = (gss_buffer_t)credData;
+ } else {
+ major = GSS_S_CRED_UNAVAIL;
+ *minor = GSSEAP_BAD_CRED_TYPE;
+ goto cleanup;
+ }
+ }
+
major = gssEapAllocCred(minor, &cred);
if (GSS_ERROR(major))
goto cleanup;
return present;
}
+
+OM_uint32
+gssEapInquireCred(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_name_t *name,
+ OM_uint32 *pLifetime,
+ gss_cred_usage_t *cred_usage,
+ gss_OID_set *mechanisms)
+{
+ OM_uint32 major;
+ time_t now, lifetime;
+
+ if (name != NULL) {
+ major = gssEapDuplicateName(minor, cred->name, name);
+ if (GSS_ERROR(major))
+ return major;
+ }
+
+ if (cred_usage != NULL) {
+ OM_uint32 flags = (cred->flags & (CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT));
+
+ switch (flags) {
+ case CRED_FLAG_INITIATE:
+ *cred_usage = GSS_C_INITIATE;
+ break;
+ case CRED_FLAG_ACCEPT:
+ *cred_usage = GSS_C_ACCEPT;
+ break;
+ default:
+ *cred_usage = GSS_C_BOTH;
+ break;
+ }
+ }
+
+ if (mechanisms != NULL) {
+ if (cred->mechanisms != GSS_C_NO_OID_SET)
+ major = duplicateOidSet(minor, cred->mechanisms, mechanisms);
+ else
+ major = gssEapIndicateMechs(minor, mechanisms);
+ if (GSS_ERROR(major))
+ return major;
+ }
+
+ if (cred->expiryTime == 0) {
+ lifetime = GSS_C_INDEFINITE;
+ } else {
+ now = time(NULL);
+ lifetime = now - cred->expiryTime;
+ if (lifetime < 0)
+ lifetime = 0;
+ }
+
+ if (pLifetime != NULL) {
+ *pLifetime = lifetime;
+ }
+
+ if (lifetime == 0) {
+ *minor = GSSEAP_CRED_EXPIRED;
+ return GSS_S_CREDENTIALS_EXPIRED;
+ }
+
+ major = GSS_S_COMPLETE;
+ *minor = 0;
+
+ return major;
+}
gss_OID_set *mechs)
{
krb5_context krbContext;
- OM_uint32 major, tmpMinor;
+ OM_uint32 major;
krb5_enctype *etypes;
int i;
for (i = 0; etypes[i] != ENCTYPE_NULL; i++) {
gss_OID mechOid;
+#ifndef HAVE_HEIMDAL_VERSION
+ OM_uint32 tmpMinor;
+#endif
/* XXX currently we aren't equipped to encode these enctypes */
if (etypes[i] < 0 || etypes[i] > 127)
if (GSS_ERROR(major))
break;
+#ifndef HAVE_HEIMDAL_VERSION
gss_release_oid(&tmpMinor, &mechOid);
+#endif
}
GSSEAP_FREE(etypes);
if (pAssertion != NULL)
*pAssertion = NULL;
- saml = static_cast<const gss_eap_saml_assertion_provider *>
+ saml = static_cast<gss_eap_saml_assertion_provider *>
(m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
if (saml == NULL)
return false;
-Subproject commit 5d212506d4ccc7f0e93dbfc756f380583addb20e
+Subproject commit ac0ba1f390586dd0300f0a036ce30952b1dd5def