From 67d88e629802d927e567ba3c339412ffbbd84e2e Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Tue, 29 Nov 2011 02:01:39 +1100 Subject: [PATCH] Revert "Support EAP-TLS in Moonshot (requires OpenSSL)" This reverts commit 2ef42df0ecea8745a678fe26ff9b16072b93586b. --- moonshot/acinclude.m4 | 40 +------------ moonshot/configure.ac | 2 - moonshot/libeap | 2 +- moonshot/mech_eap/Makefile.am | 5 +- moonshot/mech_eap/gssapiP_eap.h | 3 - moonshot/mech_eap/gssapi_eap.h | 7 --- moonshot/mech_eap/init_sec_context.c | 12 +--- moonshot/mech_eap/set_cred_option.c | 15 ----- moonshot/mech_eap/util.h | 6 -- moonshot/mech_eap/util_cred.c | 106 +++-------------------------------- 10 files changed, 15 insertions(+), 183 deletions(-) diff --git a/moonshot/acinclude.m4 b/moonshot/acinclude.m4 index 401ad2a..ff06090 100644 --- a/moonshot/acinclude.m4 +++ b/moonshot/acinclude.m4 @@ -115,7 +115,7 @@ else -DEAP_SERVER_GPSK \ -DEAP_SERVER_GPSK_SHA256 \ -DIEEE8021X_EAPOL"; - EAP_LIBS="-leap -lutils -lcrypto -ltls -lssl"; + EAP_LIBS="-leap -lutils -lcrypto -ltls"; EAP_LDFLAGS="-L$eapdir/eap_example -L$eapdir/src/utils -L$eapdir/src/crypto -L$eapdir/src/tls"; AC_SUBST(EAP_CFLAGS) AC_SUBST(EAP_LDFLAGS) @@ -249,44 +249,6 @@ fi fi ])dnl -AC_DEFUN([AX_CHECK_OPENSSL], -[AC_MSG_CHECKING(for OpenSSL) -OPENSSL_DIR= -found_openssl="no" -AC_ARG_WITH(openssl, - AC_HELP_STRING([--with-openssl], - [Use OpenSSL (in specified installation directory)]), - [check_openssl_dir="$withval"], - [check_openssl_dir=]) -for dir in $check_openssl_dir $prefix /usr /usr/local ; do - openssldir="$dir" - if test -f "$dir/include/openssl/opensslv.h"; then - found_openssl="yes"; - OPENSSL_DIR="${openssldir}" - OPENSSL_CFLAGS="-I$openssldir/include"; - break; - fi -done -AC_MSG_RESULT($found_openssl) -if test x_$found_openssl != x_yes; then - AC_MSG_ERROR([ ----------------------------------------------------------------------- - Cannot find OpenSSL libraries. - - Please install libssl or specify installation directory with - --with-openssl=(dir). ----------------------------------------------------------------------- -]) -else - printf "OpenSSL found in $openssldir\n"; - OPENSSL_LIBS="-lssl -lcrypto"; - OPENSSL_LDFLAGS="-L$openssldir/lib"; - AC_SUBST(OPENSSL_CFLAGS) - AC_SUBST(OPENSSL_LDFLAGS) - AC_SUBST(OPENSSL_LIBS) -fi -])dnl - AC_DEFUN([AX_CHECK_RADSEC], [AC_MSG_CHECKING(for radsec) RADSEC_DIR= diff --git a/moonshot/configure.ac b/moonshot/configure.ac index 1049dd7..4297345 100644 --- a/moonshot/configure.ac +++ b/moonshot/configure.ac @@ -81,8 +81,6 @@ if test x_$found_shibresolver = x_yes; then AX_CHECK_SHIBSP fi -AX_CHECK_OPENSSL - if test "x$acceptor" = "xyes" ; then AX_CHECK_RADSEC AX_CHECK_JANSSON diff --git a/moonshot/libeap b/moonshot/libeap index 06ba9ae..3c68005 160000 --- a/moonshot/libeap +++ b/moonshot/libeap @@ -1 +1 @@ -Subproject commit 06ba9ae7494306585ea8115619e98266ae4dc26c +Subproject commit 3c6800594dbfcba5d36cfa5556288eae999f83ba diff --git a/moonshot/mech_eap/Makefile.am b/moonshot/mech_eap/Makefile.am index a652182..8c6f64c 100644 --- a/moonshot/mech_eap/Makefile.am +++ b/moonshot/mech_eap/Makefile.am @@ -42,14 +42,13 @@ mech_eap_la_CXXFLAGS += \ @TARGET_CFLAGS@ $(EAP_CFLAGS) mech_eap_la_LDFLAGS = -avoid-version -module \ -export-symbols $(GSSEAP_EXPORTS) -no-undefined \ - @RADSEC_LDFLAGS@ @OPENSSL_LDFLAGS@ @TARGET_LDFLAGS@ + @RADSEC_LDFLAGS@ @TARGET_LDFLAGS@ if TARGET_WINDOWS mech_eap_la_LDFLAGS += -debug endif mech_eap_la_LIBADD = @KRB5_LIBS@ ../libeap/libeap.la @RADSEC_LIBS@ \ - @OPENSAML_LIBS@ @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@ \ - @OPENSSL_LIBS@ + @OPENSAML_LIBS@ @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@ mech_eap_la_SOURCES = \ acquire_cred.c \ acquire_cred_with_password.c \ diff --git a/moonshot/mech_eap/gssapiP_eap.h b/moonshot/mech_eap/gssapiP_eap.h index c763fbd..d1790a0 100644 --- a/moonshot/mech_eap/gssapiP_eap.h +++ b/moonshot/mech_eap/gssapiP_eap.h @@ -150,7 +150,6 @@ struct gss_name_struct #define CRED_FLAG_DEFAULT_CCACHE 0x00080000 #define CRED_FLAG_RESOLVED 0x00100000 #define CRED_FLAG_TARGET 0x00200000 -#define CRED_FLAG_CERTIFICATE 0x00400000 #define CRED_FLAG_PUBLIC_MASK 0x0000FFFF #ifdef HAVE_HEIMDAL_VERSION @@ -171,8 +170,6 @@ struct gss_cred_id_struct gss_buffer_desc caCertificate; gss_buffer_desc subjectNameConstraint; gss_buffer_desc subjectAltNameConstraint; - gss_buffer_desc clientCertificate; - gss_buffer_desc privateKey; #ifdef GSSEAP_ENABLE_REAUTH krb5_ccache krbCredCache; gss_cred_id_t reauthCred; diff --git a/moonshot/mech_eap/gssapi_eap.h b/moonshot/mech_eap/gssapi_eap.h index 02f132f..588665b 100644 --- a/moonshot/mech_eap/gssapi_eap.h +++ b/moonshot/mech_eap/gssapi_eap.h @@ -78,13 +78,6 @@ extern gss_OID GSS_EAP_CRED_SET_CRED_FLAG; extern gss_OID GSS_EAP_CRED_SET_CRED_PASSWORD; /* - * Path to PKCS#12 private key file for use with EAP-TLS - * authentication. - */ -extern gss_OID GSS_EAP_CRED_SET_CRED_PRIVATE_KEY; - - -/* * Credentials flag indicating the local attributes * processing should be skipped. */ diff --git a/moonshot/mech_eap/init_sec_context.c b/moonshot/mech_eap/init_sec_context.c index 8a877fd..e99b479 100644 --- a/moonshot/mech_eap/init_sec_context.c +++ b/moonshot/mech_eap/init_sec_context.c @@ -250,22 +250,14 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) eapPeerConfig->anonymous_identity_len = 1 + realm.length; /* password */ - if ((cred->flags & CRED_FLAG_CERTIFICATE) == 0) { - eapPeerConfig->password = (unsigned char *)cred->password.value; - eapPeerConfig->password_len = cred->password.length; - } + eapPeerConfig->password = (unsigned char *)cred->password.value; + eapPeerConfig->password_len = cred->password.length; /* certs */ eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value; eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value; eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value; - if (cred->flags & CRED_FLAG_CERTIFICATE) { - eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value; - eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value; - eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value; - } - *minor = 0; return GSS_S_COMPLETE; } diff --git a/moonshot/mech_eap/set_cred_option.c b/moonshot/mech_eap/set_cred_option.c index 98bb482..7bb9b7b 100644 --- a/moonshot/mech_eap/set_cred_option.c +++ b/moonshot/mech_eap/set_cred_option.c @@ -121,15 +121,6 @@ setCredPassword(OM_uint32 *minor, return gssEapSetCredPassword(minor, cred, buffer); } -static OM_uint32 -setCredPrivateKey(OM_uint32 *minor, - gss_cred_id_t cred, - const gss_OID oid GSSEAP_UNUSED, - const gss_buffer_t buffer) -{ - return gssEapSetCredClientCertificate(minor, cred, GSS_C_NO_BUFFER, buffer); -} - static struct { gss_OID_desc oid; OM_uint32 (*setOption)(OM_uint32 *, gss_cred_id_t cred, @@ -155,18 +146,12 @@ static struct { { 11, "\x2B\x06\x01\x04\x01\xA9\x4A\x16\x03\x03\x04" }, setCredPassword, }, - /* 1.3.6.1.4.1.5322.22.3.3.5 */ - { - { 11, "\x2B\x06\x01\x04\x01\xA9\x4A\x16\x03\x03\x05" }, - setCredPrivateKey, - }, }; gss_OID GSS_EAP_CRED_SET_RADIUS_CONFIG_FILE = &setCredOps[0].oid; gss_OID GSS_EAP_CRED_SET_RADIUS_CONFIG_STANZA = &setCredOps[1].oid; gss_OID GSS_EAP_CRED_SET_CRED_FLAG = &setCredOps[2].oid; gss_OID GSS_EAP_CRED_SET_CRED_PASSWORD = &setCredOps[3].oid; -gss_OID GSS_EAP_CRED_SET_CRED_PRIVATE_KEY = &setCredOps[4].oid; OM_uint32 GSSAPI_CALLCONV gssspi_set_cred_option(OM_uint32 *minor, diff --git a/moonshot/mech_eap/util.h b/moonshot/mech_eap/util.h index 7a6c094..4f54d41 100644 --- a/moonshot/mech_eap/util.h +++ b/moonshot/mech_eap/util.h @@ -270,12 +270,6 @@ gssEapSetCredPassword(OM_uint32 *minor, const gss_buffer_t password); OM_uint32 -gssEapSetCredClientCertificate(OM_uint32 *minor, - gss_cred_id_t cred, - const gss_buffer_t clientCert, - const gss_buffer_t privateKey); - -OM_uint32 gssEapSetCredService(OM_uint32 *minor, gss_cred_id_t cred, const gss_name_t target); diff --git a/moonshot/mech_eap/util_cred.c b/moonshot/mech_eap/util_cred.c index 53a19a7..746bd61 100644 --- a/moonshot/mech_eap/util_cred.c +++ b/moonshot/mech_eap/util_cred.c @@ -104,8 +104,6 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred) gss_release_buffer(&tmpMinor, &cred->caCertificate); gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint); gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint); - gss_release_buffer(&tmpMinor, &cred->privateKey); - gss_release_buffer(&tmpMinor, &cred->clientCertificate); #ifdef GSSEAP_ENABLE_REAUTH if (cred->krbCredCache != NULL) { @@ -130,8 +128,7 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred) static OM_uint32 readStaticIdentityFile(OM_uint32 *minor, gss_buffer_t defaultIdentity, - gss_buffer_t defaultPassword, - gss_buffer_t defaultPrivateKey) + gss_buffer_t defaultPassword) { OM_uint32 major, tmpMinor; FILE *fp = NULL; @@ -151,11 +148,6 @@ readStaticIdentityFile(OM_uint32 *minor, defaultPassword->value = NULL; } - if (defaultPrivateKey != GSS_C_NO_BUFFER) { - defaultPrivateKey->length = 0; - defaultPrivateKey->value = NULL; - } - ccacheName = getenv("GSSEAP_IDENTITY"); if (ccacheName == NULL) { #ifdef WIN32 @@ -211,8 +203,6 @@ readStaticIdentityFile(OM_uint32 *minor, dst = defaultIdentity; else if (i == 1) dst = defaultPassword; - else if (i == 2) - dst = defaultPrivateKey; else break; @@ -241,7 +231,6 @@ cleanup: if (GSS_ERROR(major)) { gss_release_buffer(&tmpMinor, defaultIdentity); zeroAndReleasePassword(defaultPassword); - gss_release_buffer(&tmpMinor, defaultPrivateKey); } memset(buf, 0, sizeof(buf)); @@ -382,8 +371,7 @@ staticIdentityFileResolveDefaultIdentity(OM_uint32 *minor, *pName = GSS_C_NO_NAME; - major = readStaticIdentityFile(minor, &defaultIdentity, - GSS_C_NO_BUFFER, GSS_C_NO_BUFFER); + major = readStaticIdentityFile(minor, &defaultIdentity, GSS_C_NO_BUFFER); if (major == GSS_S_COMPLETE) { major = gssEapImportName(minor, &defaultIdentity, GSS_C_NT_USER_NAME, nameMech, pName); @@ -547,68 +535,6 @@ cleanup: return major; } -/* - * Currently only the privateKey path is exposed to the application - * (via gss_set_cred_option() or the third line in ~/.gss_eap_id). - * At some point in the future we may add support for setting the - * client certificate separately. - */ -OM_uint32 -gssEapSetCredClientCertificate(OM_uint32 *minor, - gss_cred_id_t cred, - const gss_buffer_t clientCert, - const gss_buffer_t privateKey) -{ - OM_uint32 major, tmpMinor; - gss_buffer_desc newClientCert = GSS_C_EMPTY_BUFFER; - gss_buffer_desc newPrivateKey = GSS_C_EMPTY_BUFFER; - - if (cred->flags & CRED_FLAG_RESOLVED) { - major = GSS_S_FAILURE; - *minor = GSSEAP_CRED_RESOLVED; - goto cleanup; - } - - if (clientCert == GSS_C_NO_BUFFER && - privateKey == GSS_C_NO_BUFFER) { - cred->flags &= ~(CRED_FLAG_CERTIFICATE); - major = GSS_S_COMPLETE; - *minor = 0; - goto cleanup; - } - - if (clientCert != GSS_C_NO_BUFFER) { - major = duplicateBuffer(minor, clientCert, &newClientCert); - if (GSS_ERROR(major)) - goto cleanup; - } - - if (privateKey != GSS_C_NO_BUFFER) { - major = duplicateBuffer(minor, privateKey, &newPrivateKey); - if (GSS_ERROR(major)) - goto cleanup; - } - - cred->flags |= CRED_FLAG_CERTIFICATE; - - gss_release_buffer(&tmpMinor, &cred->clientCertificate); - cred->clientCertificate = newClientCert; - - gss_release_buffer(&tmpMinor, &cred->privateKey); - cred->privateKey = newPrivateKey; - - major = GSS_S_COMPLETE; - *minor = 0; - -cleanup: - if (GSS_ERROR(major)) { - gss_release_buffer(&tmpMinor, &newClientCert); - gss_release_buffer(&tmpMinor, &newPrivateKey); - } - - return major; -} - OM_uint32 gssEapSetCredService(OM_uint32 *minor, gss_cred_id_t cred, @@ -693,8 +619,6 @@ gssEapDuplicateCred(OM_uint32 *minor, duplicateBufferOrCleanup(&src->subjectNameConstraint, &dst->subjectNameConstraint); if (src->subjectAltNameConstraint.value != NULL) duplicateBufferOrCleanup(&src->subjectAltNameConstraint, &dst->subjectAltNameConstraint); - if (src->privateKey.value != NULL) - duplicateBufferOrCleanup(&src->privateKey, &dst->privateKey); #ifdef GSSEAP_ENABLE_REAUTH /* XXX krbCredCache, reauthCred */ @@ -719,11 +643,9 @@ staticIdentityFileResolveInitiatorCred(OM_uint32 *minor, gss_cred_id_t cred) gss_buffer_desc defaultIdentity = GSS_C_EMPTY_BUFFER; gss_name_t defaultIdentityName = GSS_C_NO_NAME; gss_buffer_desc defaultPassword = GSS_C_EMPTY_BUFFER; - gss_buffer_desc defaultPrivateKey = GSS_C_EMPTY_BUFFER; int isDefaultIdentity = FALSE; - major = readStaticIdentityFile(minor, &defaultIdentity, - &defaultPassword, &defaultPrivateKey); + major = readStaticIdentityFile(minor, &defaultIdentity, &defaultPassword); if (GSS_ERROR(major)) goto cleanup; @@ -751,26 +673,17 @@ staticIdentityFileResolveInitiatorCred(OM_uint32 *minor, gss_cred_id_t cred) } } - if (isDefaultIdentity) { - if (defaultPrivateKey.length != 0) { - major = gssEapSetCredClientCertificate(minor, cred, GSS_C_NO_BUFFER, - &defaultPrivateKey); - if (GSS_ERROR(major)) - goto cleanup; - } - - if ((cred->flags & CRED_FLAG_PASSWORD) == 0) { - major = gssEapSetCredPassword(minor, cred, &defaultPassword); - if (GSS_ERROR(major)) - goto cleanup; - } + if (isDefaultIdentity && + (cred->flags & CRED_FLAG_PASSWORD) == 0) { + major = gssEapSetCredPassword(minor, cred, &defaultPassword); + if (GSS_ERROR(major)) + goto cleanup; } cleanup: gssEapReleaseName(&tmpMinor, &defaultIdentityName); zeroAndReleasePassword(&defaultPassword); gss_release_buffer(&tmpMinor, &defaultIdentity); - gss_release_buffer(&tmpMinor, &defaultPrivateKey); return major; } @@ -821,8 +734,7 @@ gssEapResolveInitiatorCred(OM_uint32 *minor, goto cleanup; /* If we have a caller-supplied password, the credential is resolved. */ - if ((resolvedCred->flags & - (CRED_FLAG_PASSWORD | CRED_FLAG_CERTIFICATE)) == 0) { + if ((resolvedCred->flags & CRED_FLAG_PASSWORD) == 0) { major = GSS_S_CRED_UNAVAIL; *minor = GSSEAP_NO_DEFAULT_CRED; goto cleanup; -- 2.1.4