From 6196f93aaca970f23276407af0812179c51a29ea Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 17 Nov 2011 20:34:12 +1100 Subject: [PATCH] Allow certificate/private key to contain binary data --- moonshot/mech_eap/gssapiP_eap.h | 6 ++++++ moonshot/mech_eap/init_sec_context.c | 36 +++++++++++++++++++++++++++++++----- 2 files changed, 37 insertions(+), 5 deletions(-) diff --git a/moonshot/mech_eap/gssapiP_eap.h b/moonshot/mech_eap/gssapiP_eap.h index c763fbd..eb7e7db 100644 --- a/moonshot/mech_eap/gssapiP_eap.h +++ b/moonshot/mech_eap/gssapiP_eap.h @@ -151,6 +151,7 @@ struct gss_name_struct #define CRED_FLAG_RESOLVED 0x00100000 #define CRED_FLAG_TARGET 0x00200000 #define CRED_FLAG_CERTIFICATE 0x00400000 +#define CRED_FLAG_CONFIG_BLOB 0x00800000 #define CRED_FLAG_PUBLIC_MASK 0x0000FFFF #ifdef HAVE_HEIMDAL_VERSION @@ -198,11 +199,16 @@ struct gss_cred_id_struct #define CTX_FLAG_EAP_ALT_REJECT 0x01000000 #define CTX_FLAG_EAP_MASK 0xFFFF0000 +#define CONFIG_BLOB_CLIENT_CERT 0 +#define CONFIG_BLOB_PRIVATE_KEY 1 +#define CONFIG_BLOB_MAX 2 + struct gss_eap_initiator_ctx { unsigned int idleWhile; struct eap_peer_config eapPeerConfig; struct eap_sm *eap; struct wpabuf reqData; + struct wpa_config_blob configBlobs[CONFIG_BLOB_MAX]; }; #ifdef GSSEAP_ENABLE_ACCEPTOR diff --git a/moonshot/mech_eap/init_sec_context.c b/moonshot/mech_eap/init_sec_context.c index 8a877fd..a67d381 100644 --- a/moonshot/mech_eap/init_sec_context.c +++ b/moonshot/mech_eap/init_sec_context.c @@ -167,10 +167,20 @@ peerSetConfigBlob(void *ctx GSSEAP_UNUSED, } static const struct wpa_config_blob * -peerGetConfigBlob(void *ctx GSSEAP_UNUSED, - const char *name GSSEAP_UNUSED) +peerGetConfigBlob(void *ctx, + const char *name) { - return NULL; + gss_ctx_id_t gssCtx = (gss_ctx_id_t)ctx; + size_t index; + + if (strcmp(name, "client-cert") == 0) + index = CONFIG_BLOB_CLIENT_CERT; + else if (strcmp(name, "private-key") == 0) + index = CONFIG_BLOB_PRIVATE_KEY; + else + return NULL; + + return &gssCtx->initiatorCtx.configBlobs[index]; } static void @@ -200,6 +210,7 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) OM_uint32 major; krb5_context krbContext; struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig; + struct wpa_config_blob *configBlobs = ctx->initiatorCtx.configBlobs; gss_buffer_desc identity = GSS_C_EMPTY_BUFFER; gss_buffer_desc realm = GSS_C_EMPTY_BUFFER; gss_cred_id_t cred = ctx->cred; @@ -261,8 +272,23 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value; if (cred->flags & CRED_FLAG_CERTIFICATE) { - eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value; - eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value; + /* + * CRED_FLAG_CONFIG_BLOB is an internal flag which will be used in the + * future to directly pass certificate and private key data to the + * EAP implementation, rather than an indirected string pointer. + */ + if (cred->flags & CRED_FLAG_CONFIG_BLOB) { + eapPeerConfig->client_cert = (unsigned char *)"blob://client-cert"; + configBlobs[CONFIG_BLOB_CLIENT_CERT].data = cred->clientCertificate.value; + configBlobs[CONFIG_BLOB_CLIENT_CERT].len = cred->clientCertificate.length; + + eapPeerConfig->client_cert = (unsigned char *)"blob://private-key"; + configBlobs[CONFIG_BLOB_PRIVATE_KEY].data = cred->clientCertificate.value; + configBlobs[CONFIG_BLOB_PRIVATE_KEY].len = cred->privateKey.length; + } else { + eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value; + eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value; + } eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value; } -- 2.1.4