#include "util_radius.h"
#include "utils/radius_utils.h"
+/* methods allowed for phase1 authentication*/
+static const struct eap_method_type allowed_eap_method_types[] = {
+ {EAP_VENDOR_IETF, EAP_TYPE_TTLS},
+ {EAP_VENDOR_IETF, EAP_TYPE_NONE}};
+
static OM_uint32
policyVariableToFlag(enum eapol_bool_var variable)
{
index = CONFIG_BLOB_CLIENT_CERT;
else if (strcmp(name, "private-key") == 0)
index = CONFIG_BLOB_PRIVATE_KEY;
+ else if (strcmp(name, "ca-cert") == 0)
+ index = CONFIG_BLOB_CA_CERT;
else
return NULL;
peerNotifyPending,
};
-#ifdef GSSEAP_DEBUG
extern int wpa_debug_level;
-#endif
#define CHBIND_SERVICE_NAME_FLAG 0x01
#define CHBIND_HOST_NAME_FLAG 0x02
major = gssEapRadiusAddAttr(minor, &buf,
PW_GSS_ACCEPTOR_REALM_NAME,
0, &nameBuf);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
chbindReqFlags |= CHBIND_REALM_NAME_FLAG;
}
gss_buffer_desc identity = GSS_C_EMPTY_BUFFER;
gss_buffer_desc realm = GSS_C_EMPTY_BUFFER;
gss_cred_id_t cred = ctx->cred;
+ char *debug_file = NULL;
eapPeerConfig->identity = NULL;
eapPeerConfig->identity_len = 0;
eapPeerConfig->anonymous_identity_len = 0;
eapPeerConfig->password = NULL;
eapPeerConfig->password_len = 0;
+ eapPeerConfig->eap_methods = (struct eap_method_type *) allowed_eap_method_types;
GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
GSSEAP_KRB_INIT(&krbContext);
eapPeerConfig->fragment_size = 1024;
-#ifdef GSSEAP_DEBUG
- wpa_debug_level = 0;
-#endif
-
+ wpa_debug_level = MSG_ERROR;
+ if ((debug_file = getenv("GSSEAP_TRACE")) != NULL) {
+ wpa_debug_open_file(debug_file);
+ wpa_debug_level = 0;
+ }
+
GSSEAP_ASSERT(cred->name != GSS_C_NO_NAME);
if ((cred->name->flags & (NAME_FLAG_NAI | NAME_FLAG_SERVICE)) == 0) {
eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value;
eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value;
eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
+ configBlobs[CONFIG_BLOB_CA_CERT].data = cred->caCertificateBlob.value;
+ configBlobs[CONFIG_BLOB_CA_CERT].len = cred->caCertificateBlob.length;
/* eap channel binding */
if (ctx->initiatorCtx.chbindData != NULL) {
unsigned char wireFlags[4];
gss_buffer_desc flagsBuf;
+ /*
+ * As a temporary measure, force mutual authentication until channel binding is
+ * more widely deployed.
+ */
+ ctx->gssFlags |= GSS_C_MUTUAL_FLAG;
store_uint32_be(ctx->gssFlags & GSSEAP_WIRE_FLAGS_MASK, wireFlags);
flagsBuf.length = sizeof(wireFlags);
if (GSS_ERROR(major))
return major;
- /*
- * As a temporary measure, force mutual authentication until channel binding is
- * more widely deployed.
- */
- ctx->gssFlags |= GSS_C_MUTUAL_FLAG;
GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
*minor = 0;