acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
{
OM_uint32 major, tmpMinor;
- VALUE_PAIR *vp;
+ rs_const_avp *vp;
gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
/* Cache encryption type derived from selected mechanism OID */
major = gssEapRadiusGetRawAvp(minor, ctx->acceptorCtx.vps,
PW_USER_NAME, 0, &vp);
- if (major == GSS_S_COMPLETE && vp->length) {
- nameBuf.length = vp->length;
- nameBuf.value = vp->vp_strvalue;
+ if (major == GSS_S_COMPLETE && rs_avp_length(vp) != 0) {
+ rs_avp_octets_value_byref((rs_avp *)vp,
+ (unsigned char **)&nameBuf.value,
+ &nameBuf.length);
} else {
ctx->gssFlags |= GSS_C_ANON_FLAG;
}
return major;
major = gssEapRadiusGetRawAvp(minor, ctx->acceptorCtx.vps,
- PW_MS_MPPE_SEND_KEY, VENDORPEC_MS, &vp);
+ PW_MS_MPPE_SEND_KEY, VENDORPEC_MICROSOFT, &vp);
if (GSS_ERROR(major)) {
*minor = GSSEAP_KEY_UNAVAILABLE;
return GSS_S_UNAVAILABLE;
}
major = gssEapDeriveRfc3961Key(minor,
- vp->vp_octets,
- vp->length,
+ rs_avp_octets_value_const_ptr(vp),
+ rs_avp_length(vp),
ctx->encryptionType,
&ctx->rfc3961Key);
if (GSS_ERROR(major))
static OM_uint32
setInitiatorIdentity(OM_uint32 *minor,
gss_ctx_id_t ctx,
- VALUE_PAIR **vps)
+ struct rs_packet *req)
{
OM_uint32 major, tmpMinor;
gss_buffer_desc nameBuf;
if (GSS_ERROR(major))
return major;
- major = gssEapRadiusAddAvp(minor, vps, PW_USER_NAME, 0, &nameBuf);
+ major = gssEapRadiusAddAvp(minor, req, PW_USER_NAME, 0, &nameBuf);
if (GSS_ERROR(major))
return major;
static OM_uint32
setAcceptorIdentity(OM_uint32 *minor,
gss_ctx_id_t ctx,
- VALUE_PAIR **vps)
+ struct rs_packet *req)
{
OM_uint32 major;
gss_buffer_desc nameBuf;
/* Acceptor-Service-Name */
krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf);
- major = gssEapRadiusAddAvp(minor, vps,
+ major = gssEapRadiusAddAvp(minor, req,
PW_GSS_ACCEPTOR_SERVICE_NAME,
- VENDORPEC_UKERNA,
+ 0,
&nameBuf);
if (GSS_ERROR(major))
return major;
/* Acceptor-Host-Name */
krbPrincComponentToGssBuffer(krbPrinc, 1, &nameBuf);
- major = gssEapRadiusAddAvp(minor, vps,
+ major = gssEapRadiusAddAvp(minor, req,
PW_GSS_ACCEPTOR_HOST_NAME,
- VENDORPEC_UKERNA,
+ 0,
&nameBuf);
if (GSS_ERROR(major))
return major;
nameBuf.value = ssi;
nameBuf.length = strlen(ssi);
- major = gssEapRadiusAddAvp(minor, vps,
- PW_GSS_ACCEPTOR_SERVICE_SPECIFIC,
- VENDORPEC_UKERNA,
+ major = gssEapRadiusAddAvp(minor, req,
+ PW_GSS_ACCEPTOR_SERVICE_SPECIFICS,
+ 0,
&nameBuf);
-
- if (GSS_ERROR(major)) {
- krb5_free_unparsed_name(krbContext, ssi);
- return major;
- }
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_xfree(ssi);
+#else
krb5_free_unparsed_name(krbContext, ssi);
+#endif
+ if (GSS_ERROR(major))
+ return major;
}
krbPrincRealmToGssBuffer(krbPrinc, &nameBuf);
if (nameBuf.length != 0) {
/* Acceptor-Realm-Name */
- major = gssEapRadiusAddAvp(minor, vps,
+ major = gssEapRadiusAddAvp(minor, req,
PW_GSS_ACCEPTOR_REALM_NAME,
- VENDORPEC_UKERNA,
+ 0,
&nameBuf);
if (GSS_ERROR(major))
return major;
struct rs_connection *rconn;
struct rs_request *request = NULL;
struct rs_packet *req = NULL, *resp = NULL;
- struct radius_packet *frreq, *frresp;
+ int isAccessChallenge;
if (ctx->acceptorCtx.radContext == NULL) {
/* May be NULL from an imported partial context */
major = gssEapRadiusMapError(minor, rs_err_conn_pop(rconn));
goto cleanup;
}
- frreq = rs_packet_frpkt(req);
- major = setInitiatorIdentity(minor, ctx, &frreq->vps);
+ major = setInitiatorIdentity(minor, ctx, req);
if (GSS_ERROR(major))
goto cleanup;
- major = setAcceptorIdentity(minor, ctx, &frreq->vps);
+ major = setAcceptorIdentity(minor, ctx, req);
if (GSS_ERROR(major))
goto cleanup;
- major = gssEapRadiusAddAvp(minor, &frreq->vps,
+ major = gssEapRadiusAddAvp(minor, req,
PW_EAP_MESSAGE, 0, inputToken);
if (GSS_ERROR(major))
goto cleanup;
if (ctx->acceptorCtx.state.length != 0) {
- major = gssEapRadiusAddAvp(minor, &frreq->vps, PW_STATE, 0,
+ major = gssEapRadiusAddAvp(minor, req, PW_STATE, 0,
&ctx->acceptorCtx.state);
if (GSS_ERROR(major))
goto cleanup;
GSSEAP_ASSERT(resp != NULL);
- frresp = rs_packet_frpkt(resp);
- switch (frresp->code) {
+ isAccessChallenge = 0;
+
+ switch (rs_packet_code(resp)) {
case PW_ACCESS_CHALLENGE:
- case PW_AUTHENTICATION_ACK:
+ isAccessChallenge = 1;
+ break;
+ case PW_ACCESS_ACCEPT:
break;
- case PW_AUTHENTICATION_REJECT:
+ case PW_ACCESS_REJECT:
*minor = GSSEAP_RADIUS_AUTH_FAILURE;
major = GSS_S_DEFECTIVE_CREDENTIAL;
goto cleanup;
break;
}
- major = gssEapRadiusGetAvp(minor, frresp->vps, PW_EAP_MESSAGE, 0,
+ major = gssEapRadiusGetAvp(minor, resp, PW_EAP_MESSAGE, 0,
outputToken, TRUE);
- if (major == GSS_S_UNAVAILABLE && frresp->code == PW_ACCESS_CHALLENGE) {
+ if (major == GSS_S_UNAVAILABLE && isAccessChallenge) {
*minor = GSSEAP_MISSING_EAP_REQUEST;
major = GSS_S_DEFECTIVE_TOKEN;
goto cleanup;
} else if (GSS_ERROR(major))
goto cleanup;
- if (frresp->code == PW_ACCESS_CHALLENGE) {
- major = gssEapRadiusGetAvp(minor, frresp->vps, PW_STATE, 0,
+ if (isAccessChallenge) {
+ major = gssEapRadiusGetAvp(minor, resp, PW_STATE, 0,
&ctx->acceptorCtx.state, TRUE);
if (GSS_ERROR(major) && *minor != GSSEAP_NO_SUCH_ATTR)
goto cleanup;
} else {
- ctx->acceptorCtx.vps = frresp->vps;
- frresp->vps = NULL;
+ rs_avp **vps;
+
+ rs_packet_avps(resp, &vps);
+
+ ctx->acceptorCtx.vps = *vps;
+ *vps = NULL;
major = acceptReadyEap(minor, ctx, cred);
if (GSS_ERROR(major))
#endif
{
ITOK_TYPE_NONE,
+ ITOK_TYPE_ACCEPTOR_NAME_RESP,
+ GSSEAP_STATE_ACCEPTOR_EXTS,
+ 0,
+ eapGssSmAcceptAcceptorName
+ },
+ {
+ ITOK_TYPE_NONE,
ITOK_TYPE_ACCEPTOR_MIC,
GSSEAP_STATE_ACCEPTOR_EXTS,
0,
* credential handle.
*/
- /*
- * Calling gssEapInquireCred() forces the default acceptor credential name
- * to be resolved.
- */
- major = gssEapInquireCred(minor, cred, &ctx->acceptorName, NULL, NULL, NULL);
- if (GSS_ERROR(major))
- goto cleanup;
+ if (cred->name != GSS_C_NO_NAME) {
+ major = gssEapDuplicateName(minor, cred->name, &ctx->acceptorName);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
major = gssEapSmStep(minor,
cred,