From 57135a1070518a0c1228a29ed9fcf726357856a1 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sun, 15 May 2011 01:18:02 +0200 Subject: [PATCH] implement gss_acquire_cred_ext --- moonshot/mech_eap/Makefile.am | 1 + moonshot/mech_eap/accept_sec_context.c | 1 + moonshot/mech_eap/acquire_cred.c | 12 +++-- moonshot/mech_eap/acquire_cred_ext.c | 69 ++++++++++++++++++++++++++ moonshot/mech_eap/acquire_cred_with_password.c | 13 +++-- moonshot/mech_eap/add_cred.c | 1 + moonshot/mech_eap/add_cred_with_password.c | 1 + moonshot/mech_eap/gsseap_err.et | 2 + moonshot/mech_eap/init_sec_context.c | 1 + moonshot/mech_eap/mech_eap.exports | 1 + moonshot/mech_eap/util.h | 5 +- moonshot/mech_eap/util_cred.c | 17 ++++++- 12 files changed, 116 insertions(+), 8 deletions(-) create mode 100644 moonshot/mech_eap/acquire_cred_ext.c diff --git a/moonshot/mech_eap/Makefile.am b/moonshot/mech_eap/Makefile.am index 55014cb..8da8ebc 100644 --- a/moonshot/mech_eap/Makefile.am +++ b/moonshot/mech_eap/Makefile.am @@ -25,6 +25,7 @@ mech_eap_la_LIBADD = @KRB5_LIBS@ ../libeap/libeap.la @RADSEC_LIBS@ \ mech_eap_la_SOURCES = \ accept_sec_context.c \ acquire_cred.c \ + acquire_cred_ext.c \ acquire_cred_with_password.c \ add_cred.c \ add_cred_with_password.c \ diff --git a/moonshot/mech_eap/accept_sec_context.c b/moonshot/mech_eap/accept_sec_context.c index cc8702d..7d1981d 100644 --- a/moonshot/mech_eap/accept_sec_context.c +++ b/moonshot/mech_eap/accept_sec_context.c @@ -843,6 +843,7 @@ gss_accept_sec_context(OM_uint32 *minor, if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) { major = gssEapAcquireCred(minor, GSS_C_NO_NAME, + GSS_C_NO_OID, GSS_C_NO_BUFFER, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, diff --git a/moonshot/mech_eap/acquire_cred.c b/moonshot/mech_eap/acquire_cred.c index 2326eaa..8c5f7fc 100644 --- a/moonshot/mech_eap/acquire_cred.c +++ b/moonshot/mech_eap/acquire_cred.c @@ -46,7 +46,13 @@ gss_acquire_cred(OM_uint32 *minor, gss_OID_set *actual_mechs, OM_uint32 *time_rec) { - return gssEapAcquireCred(minor, desired_name, GSS_C_NO_BUFFER, - time_req, desired_mechs, cred_usage, - output_cred_handle, actual_mechs, time_rec); + return gssEapAcquireCred(minor, + desired_name, + GSS_C_NO_OID, + GSS_C_NO_BUFFER, + time_req, + desired_mechs, cred_usage, + output_cred_handle, + actual_mechs, + time_rec); } diff --git a/moonshot/mech_eap/acquire_cred_ext.c b/moonshot/mech_eap/acquire_cred_ext.c new file mode 100644 index 0000000..d8c2c61 --- /dev/null +++ b/moonshot/mech_eap/acquire_cred_ext.c @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2011, JANET(UK) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of JANET(UK) nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Wrapper for acquiring a credential handle. + */ + +#include "gssapiP_eap.h" + +OM_uint32 +gss_acquire_cred_ext + (OM_uint32 *minor, + const gss_name_t desired_name, + gss_const_OID credential_type, + const void *credential_data, + OM_uint32 time_req, + gss_const_OID desired_mech, + gss_cred_usage_t cred_usage, + gss_cred_id_t *output_cred_handle + ) +{ + OM_uint32 major; + gss_OID_set_desc mechs; + + mechs.count = 1; + mechs.elements = (gss_OID)desired_mech; + + major = gssEapAcquireCred(minor, + desired_name, + credential_type, + credential_data, + time_req, + &mechs, + cred_usage, + output_cred_handle, + NULL, + NULL); + + return major; +} diff --git a/moonshot/mech_eap/acquire_cred_with_password.c b/moonshot/mech_eap/acquire_cred_with_password.c index c0f4159..5904616 100644 --- a/moonshot/mech_eap/acquire_cred_with_password.c +++ b/moonshot/mech_eap/acquire_cred_with_password.c @@ -47,7 +47,14 @@ gssspi_acquire_cred_with_password(OM_uint32 *minor, gss_OID_set *actual_mechs, OM_uint32 *time_rec) { - return gssEapAcquireCred(minor, desired_name, password, - time_req, desired_mechs, cred_usage, - output_cred_handle, actual_mechs, time_rec); + return gssEapAcquireCred(minor, + desired_name, + &gssEapPasswordCredType, + password, + time_req, + desired_mechs, + cred_usage, + output_cred_handle, + actual_mechs, + time_rec); } diff --git a/moonshot/mech_eap/add_cred.c b/moonshot/mech_eap/add_cred.c index 37d0add..e6ca129 100644 --- a/moonshot/mech_eap/add_cred.c +++ b/moonshot/mech_eap/add_cred.c @@ -71,6 +71,7 @@ gss_add_cred(OM_uint32 *minor, major = gssEapAcquireCred(minor, desired_name, + GSS_C_NO_OID, GSS_C_NO_BUFFER, time_req, &mechs, diff --git a/moonshot/mech_eap/add_cred_with_password.c b/moonshot/mech_eap/add_cred_with_password.c index 7907138..6193405 100644 --- a/moonshot/mech_eap/add_cred_with_password.c +++ b/moonshot/mech_eap/add_cred_with_password.c @@ -67,6 +67,7 @@ gss_add_cred_with_password(OM_uint32 *minor, major = gssEapAcquireCred(minor, desired_name, + &gssEapPasswordCredType, password, time_req, &mechs, diff --git a/moonshot/mech_eap/gsseap_err.et b/moonshot/mech_eap/gsseap_err.et index 6bcfff0..d85c134 100644 --- a/moonshot/mech_eap/gsseap_err.et +++ b/moonshot/mech_eap/gsseap_err.et @@ -79,9 +79,11 @@ error_code GSSEAP_BAD_USAGE, "Credential usage type is unknow error_code GSSEAP_CRED_USAGE_MISMATCH, "Credential usage does not match requested usage" error_code GSSEAP_CRED_MECH_MISMATCH, "Credential is not usable with this mechanism" error_code GSSEAP_CRED_EXPIRED, "Attributes indicate credentials have expired" +error_code GSSEAP_BAD_CRED_TYPE, "Bad credential type" error_code GSSEAP_BAD_CRED_OPTION, "Bad credential option" error_code GSSEAP_NO_DEFAULT_IDENTITY, "Default credentials identity unavailable" error_code GSSEAP_NO_DEFAULT_CRED, "Missing default password or other credentials" + # # Wrap/unwrap/PRF errors # diff --git a/moonshot/mech_eap/init_sec_context.c b/moonshot/mech_eap/init_sec_context.c index 930eb32..03a9ef1 100644 --- a/moonshot/mech_eap/init_sec_context.c +++ b/moonshot/mech_eap/init_sec_context.c @@ -943,6 +943,7 @@ gss_init_sec_context(OM_uint32 *minor, if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) { major = gssEapAcquireCred(minor, GSS_C_NO_NAME, + GSS_C_NO_OID, GSS_C_NO_BUFFER, time_req, GSS_C_NO_OID_SET, diff --git a/moonshot/mech_eap/mech_eap.exports b/moonshot/mech_eap/mech_eap.exports index 12f7f54..14ece92 100644 --- a/moonshot/mech_eap/mech_eap.exports +++ b/moonshot/mech_eap/mech_eap.exports @@ -1,5 +1,6 @@ gss_accept_sec_context gss_acquire_cred +gss_acquire_cred_ext gss_add_cred gss_add_cred_with_password gss_canonicalize_name diff --git a/moonshot/mech_eap/util.h b/moonshot/mech_eap/util.h index 4de00e3..883eabf 100644 --- a/moonshot/mech_eap/util.h +++ b/moonshot/mech_eap/util.h @@ -206,13 +206,16 @@ gssEapContextTime(OM_uint32 *minor, OM_uint32 *time_rec); /* util_cred.c */ +extern const gss_OID_desc gssEapPasswordCredType; + OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred); OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred); OM_uint32 gssEapAcquireCred(OM_uint32 *minor, const gss_name_t desiredName, - const gss_buffer_t password, + gss_const_OID credType, + const void *credData, OM_uint32 timeReq, const gss_OID_set desiredMechs, int cred_usage, diff --git a/moonshot/mech_eap/util_cred.c b/moonshot/mech_eap/util_cred.c index 28cb76c..b481118 100644 --- a/moonshot/mech_eap/util_cred.c +++ b/moonshot/mech_eap/util_cred.c @@ -38,6 +38,9 @@ #include +const gss_OID_desc gssEapPasswordCredType = + { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" }; + OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred) { @@ -197,7 +200,8 @@ cleanup: OM_uint32 gssEapAcquireCred(OM_uint32 *minor, const gss_name_t desiredName, - const gss_buffer_t password, + gss_const_OID credType, + const void *credData, OM_uint32 timeReq GSSEAP_UNUSED, const gss_OID_set desiredMechs, int credUsage, @@ -211,10 +215,21 @@ gssEapAcquireCred(OM_uint32 *minor, gss_name_t defaultIdentityName = GSS_C_NO_NAME; gss_buffer_desc defaultCreds = GSS_C_EMPTY_BUFFER; gss_OID nameMech = GSS_C_NO_OID; + gss_buffer_t password = GSS_C_NO_BUFFER; /* XXX TODO validate with changed set_cred_option API */ *pCred = GSS_C_NO_CREDENTIAL; + if (credType != GSS_C_NO_OID) { + if (oidEqual(credType, &gssEapPasswordCredType)) { + password = (gss_buffer_t)credData; + } else { + major = GSS_S_CRED_UNAVAIL; + *minor = GSSEAP_BAD_CRED_TYPE; + goto cleanup; + } + } + major = gssEapAllocCred(minor, &cred); if (GSS_ERROR(major)) goto cleanup; -- 2.1.4