From: Kevin Wasserman Date: Wed, 15 Jun 2011 15:13:05 +0000 (-0400) Subject: Conditionalized Acceptor codepaths and modules. X-Git-Tag: tr-beta1~106^2~22 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=moonshot.git;a=commitdiff_plain;h=438d1c89e95b9691054ab136ae815ac3d70e9053 Conditionalized Acceptor codepaths and modules. Acceptor code is enabled by default; use configure --enable-acceptor=no to disable. When disabled, Acceptor functions are stubbed out and return GSS_S_UNAVAILABLE. util_attr,util_json,util_radius,util_saml are removed to eliminate dependencies on saml, radius, shibboleth, and json. --- diff --git a/moonshot/configure.ac b/moonshot/configure.ac index 22d4022..211bf71 100644 --- a/moonshot/configure.ac +++ b/moonshot/configure.ac @@ -2,12 +2,13 @@ AC_PREREQ([2.61]) AC_INIT([mech_eap], [0.1], [bugs@project-moonshot.org]) dnl AC_CONFIG_MACRO_DIR([m4]) dnl AM_INIT_AUTOMAKE([silent-rules]) +AC_USE_SYSTEM_EXTENSIONS +AC_GNU_SOURCE AM_INIT_AUTOMAKE -AM_MAINTAINTER_MODE() +AM_MAINTAINER_MODE() LT_PREREQ([2.2]) LT_INIT([dlopen disable-static]) -AC_GNU_SOURCE AC_PROG_CC AC_PROG_CXX AC_CONFIG_HEADERS([config.h]) @@ -46,6 +47,23 @@ if test "x$reauth" = "xyes" ; then fi AM_CONDITIONAL(GSSEAP_ENABLE_REAUTH, test "x$reauth" != "xno") +acceptor=yes +AC_ARG_ENABLE(acceptor, + [ --enable-acceptor whether to enable acceptor codepaths: yes/no; default yes ], + [ if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then + acceptor=$enableval + else + echo "--enable-acceptor argument must be yes or no" + exit -1 + fi + ]) + +if test "x$acceptor" = "xyes" ; then + echo "acceptor enabled" + TARGET_CFLAGS="$TARGET_CFLAGS -DGSSEAP_ENABLE_ACCEPTOR" +fi +AM_CONDITIONAL(GSSEAP_ENABLE_ACCEPTOR, test "x$acceptor" != "xno") + AC_SUBST(TARGET_CFLAGS) AC_SUBST(TARGET_LDFLAGS) AX_CHECK_KRB5 diff --git a/moonshot/mech_eap/Makefile.am b/moonshot/mech_eap/Makefile.am index 261191a..499f624 100644 --- a/moonshot/mech_eap/Makefile.am +++ b/moonshot/mech_eap/Makefile.am @@ -74,23 +74,18 @@ mech_eap_la_SOURCES = \ store_cred.c \ unwrap.c \ unwrap_iov.c \ - util_attr.cpp \ util_base64.c \ util_buffer.c \ util_context.c \ util_cksum.c \ util_cred.c \ util_crypt.c \ - util_json.cpp \ util_krb.c \ util_lucid.c \ util_mech.c \ util_name.c \ util_oid.c \ util_ordering.c \ - util_radius.cpp \ - util_saml.cpp \ - util_shib.cpp \ util_sm.c \ util_token.c \ verify_mic.c \ @@ -101,11 +96,13 @@ mech_eap_la_SOURCES = \ BUILT_SOURCES = gsseap_err.c radsec_err.c +if GSSEAP_ENABLE_ACCEPTOR +mech_eap_la_SOURCES += util_attr.c util_json.c util_radius.c util_shib.c util_saml.c +endif + if GSSEAP_ENABLE_REAUTH mech_eap_la_SOURCES += util_reauth.c - - if !HEIMDAL krb5pluginsdir = $(libdir)/krb5/plugins/authdata krb5plugins_LTLIBRARIES = radius_ad.la @@ -119,6 +116,7 @@ radius_ad_la_SOURCES = util_adshim.c endif endif + gsseap_err.h gsseap_err.c: gsseap_err.et $(COMPILE_ET) $< diff --git a/moonshot/mech_eap/accept_sec_context.c b/moonshot/mech_eap/accept_sec_context.c index cc8702d..65bb9ce 100644 --- a/moonshot/mech_eap/accept_sec_context.c +++ b/moonshot/mech_eap/accept_sec_context.c @@ -36,7 +36,7 @@ */ #include "gssapiP_eap.h" - +#ifdef GSSEAP_ENABLE_ACCEPTOR #ifdef GSSEAP_ENABLE_REAUTH static OM_uint32 eapGssSmAcceptGssReauth(OM_uint32 *minor, @@ -799,20 +799,28 @@ static struct gss_eap_sm eapGssAcceptorSm[] = { eapGssSmAcceptCompleteAcceptorExts }, }; +#endif /* GSSEAP_ENABLE_ACCEPTOR */ + +#ifdef GSSEAP_ENABLE_ACCEPTOR +#define ACCEPTOR_PARAM(p) p +#else +#define ACCEPTOR_PARAM(p) UNUSED_PARAM(p) +#endif OM_uint32 -gss_accept_sec_context(OM_uint32 *minor, - gss_ctx_id_t *context_handle, - gss_cred_id_t cred, - gss_buffer_t input_token, - gss_channel_bindings_t input_chan_bindings, - gss_name_t *src_name, - gss_OID *mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - gss_cred_id_t *delegated_cred_handle) +gss_accept_sec_context(OM_uint32 *ACCEPTOR_PARAM(minor), + gss_ctx_id_t *ACCEPTOR_PARAM(context_handle), + gss_cred_id_t ACCEPTOR_PARAM(cred), + gss_buffer_t ACCEPTOR_PARAM(input_token), + gss_channel_bindings_t ACCEPTOR_PARAM(input_chan_bindings), + gss_name_t *ACCEPTOR_PARAM(src_name), + gss_OID *ACCEPTOR_PARAM(mech_type), + gss_buffer_t ACCEPTOR_PARAM(output_token), + OM_uint32 *ACCEPTOR_PARAM(ret_flags), + OM_uint32 *ACCEPTOR_PARAM(time_rec), + gss_cred_id_t *ACCEPTOR_PARAM(delegated_cred_handle)) { +#ifdef GSSEAP_ENABLE_ACCEPTOR OM_uint32 major, tmpMinor; gss_ctx_id_t ctx = *context_handle; @@ -838,7 +846,7 @@ gss_accept_sec_context(OM_uint32 *minor, } GSSEAP_MUTEX_LOCK(&ctx->mutex); - + if (cred == GSS_C_NO_CREDENTIAL) { if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) { major = gssEapAcquireCred(minor, @@ -919,8 +927,12 @@ cleanup: gssEapReleaseContext(&tmpMinor, context_handle); return major; +#else + return GSS_S_UNAVAILABLE; +#endif /* GSSEAP_ENABLE_ACCEPTOR */ } +#ifdef GSSEAP_ENABLE_ACCEPTOR #ifdef GSSEAP_ENABLE_REAUTH static OM_uint32 acceptReadyKrb(OM_uint32 *minor, @@ -1002,3 +1014,4 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor, return major; } #endif /* GSSEAP_ENABLE_REAUTH */ +#endif /* GSSEAP_ENABLE_ACCEPTOR */ \ No newline at end of file diff --git a/moonshot/mech_eap/delete_name_attribute.c b/moonshot/mech_eap/delete_name_attribute.c index 88cade3..3011e94 100644 --- a/moonshot/mech_eap/delete_name_attribute.c +++ b/moonshot/mech_eap/delete_name_attribute.c @@ -41,6 +41,7 @@ gss_delete_name_attribute(OM_uint32 *minor, gss_name_t name, gss_buffer_t attr) { +#ifdef GSSEAP_ENABLE_ACCEPTOR OM_uint32 major; *minor = 0; @@ -57,4 +58,7 @@ gss_delete_name_attribute(OM_uint32 *minor, GSSEAP_MUTEX_UNLOCK(&name->mutex); return major; +#else + return GSS_S_UNAVAILABLE; +#endif } diff --git a/moonshot/mech_eap/export_sec_context.c b/moonshot/mech_eap/export_sec_context.c index 43f3f28..3176bfe 100644 --- a/moonshot/mech_eap/export_sec_context.c +++ b/moonshot/mech_eap/export_sec_context.c @@ -36,7 +36,7 @@ */ #include "gssapiP_eap.h" - +#ifdef GSSEAP_ENABLE_ACCEPTOR static OM_uint32 gssEapExportPartialContext(OM_uint32 *minor, gss_ctx_id_t ctx, @@ -46,7 +46,6 @@ gssEapExportPartialContext(OM_uint32 *minor, size_t length, serverLen = 0; unsigned char *p; char serverBuf[MAXHOSTNAMELEN]; - if (ctx->acceptorCtx.radConn != NULL) { if (rs_conn_get_current_peer(ctx->acceptorCtx.radConn, serverBuf, sizeof(serverBuf)) != 0) { @@ -59,7 +58,6 @@ gssEapExportPartialContext(OM_uint32 *minor, } serverLen = strlen(serverBuf); } - length = 4 + serverLen + 4 + ctx->acceptorCtx.state.length; token->value = GSSEAP_MALLOC(length); @@ -98,6 +96,7 @@ cleanup: return major; } +#endif /* GSSEAP_ENABLE_ACCEPTOR */ OM_uint32 gssEapExportSecContext(OM_uint32 *minor, @@ -136,7 +135,7 @@ gssEapExportSecContext(OM_uint32 *minor, if (GSS_ERROR(major)) goto cleanup; } - +#ifdef GSSEAP_ENABLE_ACCEPTOR /* * The partial context is only transmitted for unestablished acceptor * contexts. @@ -147,6 +146,7 @@ gssEapExportSecContext(OM_uint32 *minor, if (GSS_ERROR(major)) goto cleanup; } +#endif length = 16; /* version, state, flags, */ length += 4 + ctx->mechanismUsed->length; /* mechanismUsed */ diff --git a/moonshot/mech_eap/get_name_attribute.c b/moonshot/mech_eap/get_name_attribute.c index 8273368..d616622 100644 --- a/moonshot/mech_eap/get_name_attribute.c +++ b/moonshot/mech_eap/get_name_attribute.c @@ -46,6 +46,7 @@ gss_get_name_attribute(OM_uint32 *minor, gss_buffer_t display_value, int *more) { +#ifdef GSSEAP_ENABLE_ACCEPTOR OM_uint32 major; *minor = 0; @@ -64,4 +65,7 @@ gss_get_name_attribute(OM_uint32 *minor, GSSEAP_MUTEX_UNLOCK(&name->mutex); return major; +#else + return GSS_S_UNAVAILABLE; +#endif } diff --git a/moonshot/mech_eap/gssapiP_eap.h b/moonshot/mech_eap/gssapiP_eap.h index 8bad9a8..503ac52 100644 --- a/moonshot/mech_eap/gssapiP_eap.h +++ b/moonshot/mech_eap/gssapiP_eap.h @@ -73,6 +73,7 @@ typedef const gss_OID_desc *gss_const_OID; #include #include +#ifdef GSSEAP_ENABLE_ACCEPTOR /* FreeRADIUS headers */ #ifdef __cplusplus extern "C" { @@ -86,6 +87,7 @@ extern "C" { #undef operator } #endif +#endif /*GSSEAP_ENABLE_ACCEPTOR*/ #include "gsseap_err.h" #include "radsec_err.h" @@ -169,6 +171,7 @@ struct gss_eap_initiator_ctx { struct wpabuf reqData; }; +#ifdef GSSEAP_ENABLE_ACCEPTOR struct gss_eap_acceptor_ctx { struct rs_context *radContext; struct rs_connection *radConn; @@ -176,6 +179,7 @@ struct gss_eap_acceptor_ctx { gss_buffer_desc state; VALUE_PAIR *vps; }; +#endif #ifdef HAVE_HEIMDAL_VERSION struct gss_ctx_id_t_desc_struct @@ -200,8 +204,10 @@ struct gss_ctx_id_struct union { struct gss_eap_initiator_ctx initiator; #define initiatorCtx ctxU.initiator +#ifdef GSSEAP_ENABLE_ACCEPTOR struct gss_eap_acceptor_ctx acceptor; #define acceptorCtx ctxU.acceptor +#endif #ifdef GSSEAP_ENABLE_REAUTH gss_ctx_id_t reauth; #define reauthCtx ctxU.reauth diff --git a/moonshot/mech_eap/import_sec_context.c b/moonshot/mech_eap/import_sec_context.c index d571bca..e0012bd 100644 --- a/moonshot/mech_eap/import_sec_context.c +++ b/moonshot/mech_eap/import_sec_context.c @@ -48,6 +48,7 @@ } \ } while (0) +#ifdef GSSEAP_ENABLE_ACCEPTOR static OM_uint32 gssEapImportPartialContext(OM_uint32 *minor, unsigned char **pBuf, @@ -113,6 +114,7 @@ gssEapImportPartialContext(OM_uint32 *minor, return GSS_S_COMPLETE; } +#endif /* GSSEAP_ENABLE_ACCEPTOR */ static OM_uint32 importMechanismOid(OM_uint32 *minor, @@ -303,7 +305,7 @@ gssEapImportContext(OM_uint32 *minor, major = sequenceInternalize(minor, &ctx->seqState, &p, &remain); if (GSS_ERROR(major)) return major; - +#ifdef GSSEAP_ENABLE_ACCEPTOR /* * The partial context should only be expected for unestablished * acceptor contexts. @@ -314,6 +316,7 @@ gssEapImportContext(OM_uint32 *minor, if (GSS_ERROR(major)) return major; } +#endif #ifdef GSSEAP_DEBUG assert(remain == 0); diff --git a/moonshot/mech_eap/set_name_attribute.c b/moonshot/mech_eap/set_name_attribute.c index 6dd9434..b8793b4 100644 --- a/moonshot/mech_eap/set_name_attribute.c +++ b/moonshot/mech_eap/set_name_attribute.c @@ -43,6 +43,7 @@ gss_set_name_attribute(OM_uint32 *minor, gss_buffer_t attr, gss_buffer_t value) { +#ifdef GSSEAP_ENABLE_ACCEPTOR OM_uint32 major; if (name == GSS_C_NO_NAME) { @@ -57,4 +58,7 @@ gss_set_name_attribute(OM_uint32 *minor, GSSEAP_MUTEX_UNLOCK(&name->mutex); return major; +#else + return GSS_S_UNAVAILABLE; +#endif } diff --git a/moonshot/mech_eap/util.h b/moonshot/mech_eap/util.h index 4de00e3..906a229 100644 --- a/moonshot/mech_eap/util.h +++ b/moonshot/mech_eap/util.h @@ -851,8 +851,10 @@ gssBufferToKrbData(gss_buffer_t buffer, krb5_data *data) } #endif +#ifdef GSSEAP_ENABLE_ACCEPTOR #include "util_json.h" #include "util_attr.h" +#endif #include "util_base64.h" #ifdef GSSEAP_ENABLE_REAUTH #include "util_reauth.h" diff --git a/moonshot/mech_eap/util_context.c b/moonshot/mech_eap/util_context.c index 5a39424..8ff6c50 100644 --- a/moonshot/mech_eap/util_context.c +++ b/moonshot/mech_eap/util_context.c @@ -84,6 +84,7 @@ releaseInitiatorContext(struct gss_eap_initiator_ctx *ctx) eap_peer_sm_deinit(ctx->eap); } +#ifdef GSSEAP_ENABLE_ACCEPTOR static void releaseAcceptorContext(struct gss_eap_acceptor_ctx *ctx) { @@ -99,6 +100,7 @@ releaseAcceptorContext(struct gss_eap_acceptor_ctx *ctx) if (ctx->vps != NULL) gssEapRadiusFreeAvps(&tmpMinor, &ctx->vps); } +#endif /* GSSEAP_ENABLE_ACCEPTOR */ OM_uint32 gssEapReleaseContext(OM_uint32 *minor, @@ -122,7 +124,9 @@ gssEapReleaseContext(OM_uint32 *minor, if (CTX_IS_INITIATOR(ctx)) { releaseInitiatorContext(&ctx->initiatorCtx); } else { +#ifdef GSSEAP_ENABLE_ACCEPTOR releaseAcceptorContext(&ctx->acceptorCtx); +#endif } krb5_free_keyblock_contents(krbContext, &ctx->rfc3961Key); diff --git a/moonshot/mech_eap/util_cred.c b/moonshot/mech_eap/util_cred.c index c468f97..d0ca5af 100644 --- a/moonshot/mech_eap/util_cred.c +++ b/moonshot/mech_eap/util_cred.c @@ -37,8 +37,7 @@ #include "gssapiP_eap.h" #include -#include // for BUFSIZ - +#include /* for BUFSIZ */ OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred) diff --git a/moonshot/mech_eap/util_name.c b/moonshot/mech_eap/util_name.c index fbd4b8a..0e7d004 100644 --- a/moonshot/mech_eap/util_name.c +++ b/moonshot/mech_eap/util_name.c @@ -112,8 +112,9 @@ gssEapReleaseName(OM_uint32 *minor, gss_name_t *pName) GSSEAP_KRB_INIT(&krbContext); krb5_free_principal(krbContext, name->krbPrincipal); gssEapReleaseOid(&tmpMinor, &name->mechanismUsed); - +#ifdef GSSEAP_ENABLE_ACCEPTOR gssEapReleaseAttrContext(&tmpMinor, name); +#endif GSSEAP_MUTEX_DESTROY(&name->mutex); GSSEAP_FREE(name); @@ -431,8 +432,11 @@ gssEapImportNameInternal(OM_uint32 *minor, buf.length = remain; buf.value = p; - +#ifdef GSSEAP_ENABLE_ACCEPTOR major = gssEapImportAttrContext(minor, &buf, name); +#else + major = GSS_S_UNAVAILABLE; +#endif if (GSS_ERROR(major)) goto cleanup; } @@ -566,7 +570,11 @@ gssEapExportNameInternal(OM_uint32 *minor, } exportedNameLen += 4 + nameBuf.length; if (flags & EXPORT_NAME_FLAG_COMPOSITE) { +#ifdef GSSEAP_ENABLE_ACCEPTOR major = gssEapExportAttrContext(minor, name, &attrs); +#else + major = GSS_S_UNAVAILABLE; +#endif if (GSS_ERROR(major)) goto cleanup; exportedNameLen += attrs.length; @@ -671,7 +679,11 @@ gssEapCanonicalizeName(OM_uint32 *minor, } if (input_name->attrCtx != NULL) { +#ifdef GSSEAP_ENABLE_ACCEPTOR major = gssEapDuplicateAttrContext(minor, input_name, name); +#else + major = GSS_S_UNAVAILABLE; +#endif if (GSS_ERROR(major)) goto cleanup; }