/*
- * Copyright (c) 2011, JANET(UK)
+ * Copyright (c) 2011, 2013, 2015, JANET(UK)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
eapGssSmAcceptGssReauth(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target,
+ gss_const_name_t target,
gss_OID mech,
OM_uint32 reqFlags,
OM_uint32 timeReq,
eapGssSmAcceptAcceptorName(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptVendorInfo(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx GSSEAP_UNUSED,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptIdentity(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
return GSS_S_COMPLETE;
}
+/**
+ * Choose the correct error for an access reject packet.
+ */
+static OM_uint32
+eapGssAcceptHandleReject(OM_uint32 *minor,
+ struct rs_packet *response)
+{
+ rs_avp **vps;
+ rs_const_avp *vp = NULL;
+ OM_uint32 major;
+ const char *reply_message = NULL;
+ size_t reply_length = 0;
+
+ rs_packet_avps(response, &vps);
+ major = gssEapRadiusGetRawAvp(minor, *vps,
+ PW_REPLY_MESSAGE, 0, &vp);
+ if (!GSS_ERROR(major)) {
+ reply_message = rs_avp_string_value(vp);
+ reply_length = rs_avp_length(vp);
+ }
+
+ major = gssEapRadiusGetRawAvp(minor, *vps,
+ PW_ERROR_CAUSE, 0, &vp);
+ if (!GSS_ERROR(major)) {
+ switch (rs_avp_integer_value(vp)) {
+ /* Values from http://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-18 */
+ case 502: /* request not routable (proxy) */
+ *minor = GSSEAP_RADIUS_UNROUTABLE;
+ break;
+ case 501: /* administratively prohibited */
+ *minor = GSSEAP_RADIUS_ADMIN_PROHIBIT;
+ break;
+
+ default:
+ *minor = GSSEAP_RADIUS_AUTH_FAILURE;
+ break;
+ }
+ } else
+ *minor = GSSEAP_RADIUS_AUTH_FAILURE;
+
+ if (reply_message != NULL)
+ gssEapSaveStatusInfo(*minor, "%s: %.*s", error_message(*minor),
+ reply_length, reply_message);
+ else
+ gssEapSaveStatusInfo(*minor, "%s", error_message(*minor));
+
+ return GSS_S_DEFECTIVE_CREDENTIAL;
+}
+
/*
* Process a EAP response from the initiator.
*/
eapGssSmAcceptAuthenticate(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
case PW_ACCESS_ACCEPT:
break;
case PW_ACCESS_REJECT:
- *minor = GSSEAP_RADIUS_AUTH_FAILURE;
- major = GSS_S_DEFECTIVE_CREDENTIAL;
+ major = eapGssAcceptHandleReject( minor, resp);
goto cleanup;
break;
default:
eapGssSmAcceptGssFlags(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptGssChannelBindings(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptInitiatorMIC(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptReauthCreds(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptAcceptorMIC(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptGssReauth(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
OM_uint32 GSSAPI_CALLCONV
gss_accept_sec_context(OM_uint32 *minor,
gss_ctx_id_t *context_handle,
+#ifdef HAVE_HEIMDAL_VERSION
+ gss_const_cred_id_t cred,
+#else
gss_cred_id_t cred,
+#endif
gss_buffer_t input_token,
gss_channel_bindings_t input_chan_bindings,
gss_name_t *src_name,
major = gssEapAcceptSecContext(minor,
ctx,
- cred,
+ (gss_cred_id_t)cred,
input_token,
input_chan_bindings,
src_name,
if (GSS_ERROR(major))
gssEapReleaseContext(&tmpMinor, context_handle);
+ gssEapTraceStatus("gss_accept_sec_context", major, *minor);
+
return major;
}