projects / moonshot.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch 'master' into tlv-mic
[moonshot.git] / mech_eap / init_sec_context.c
diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index cb54869..becb767 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -199,13 +199,16 @@ peerConfigInit(OM_uint32 *minor,
                gss_cred_id_t cred,
                gss_ctx_id_t ctx)
 {
+    OM_uint32 major;
     krb5_context krbContext;
     struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
-    krb5_error_code code;
-    char *identity, *anonymousIdentity;
+    gss_buffer_desc identity = GSS_C_EMPTY_BUFFER;
+    gss_buffer_desc realm = GSS_C_EMPTY_BUFFER;
 
     eapPeerConfig->identity = NULL;
     eapPeerConfig->identity_len = 0;
+    eapPeerConfig->anonymous_identity = NULL;
+    eapPeerConfig->anonymous_identity_len = 0;
     eapPeerConfig->password = NULL;
     eapPeerConfig->password_len = 0;
 
@@ -220,25 +223,38 @@ peerConfigInit(OM_uint32 *minor,
 
     assert(cred->name != GSS_C_NO_NAME);
 
-    if ((cred->name->flags & (NAME_FLAG_NAI | NAME_FLAG_SERVICE)) == 0) {
+    /*
+     * draft-ietf-abfab-gss-eap-01: the host portion is empty
+     * for initiators.
+     */
+    if ((cred->name->flags & NAME_FLAG_NAI) == 0) {
         *minor = GSSEAP_BAD_INITIATOR_NAME;
         return GSS_S_BAD_NAME;
     }
 
-    code = krb5_unparse_name(krbContext, cred->name->krbPrincipal, &identity);
-    if (code != 0) {
-        *minor = code;
+    /* identity */
+    major = gssEapDisplayName(minor, cred->name, &identity, NULL);
+    if (GSS_ERROR(major))
+        return major;
+
+    eapPeerConfig->identity = (unsigned char *)identity.value;
+    eapPeerConfig->identity_len = identity.length;
+
+    krbPrincRealmToGssBuffer(cred->name->krbPrincipal, &realm);
+
+    /* anonymous_identity */
+    eapPeerConfig->anonymous_identity = GSSEAP_MALLOC(realm.length + 2);
+    if (eapPeerConfig->anonymous_identity == NULL) {
+        *minor = ENOMEM;
         return GSS_S_FAILURE;
     }
 
-    anonymousIdentity = strchr(identity, '@');
-    if (anonymousIdentity == NULL)
-        anonymousIdentity = "";
+    eapPeerConfig->anonymous_identity[0] = '@';
+    memcpy(eapPeerConfig->anonymous_identity + 1, realm.value, realm.length);
+    eapPeerConfig->anonymous_identity[1 + realm.length] = '\0';
+    eapPeerConfig->anonymous_identity_len = 1 + realm.length;
 
-    eapPeerConfig->identity = (unsigned char *)identity;
-    eapPeerConfig->identity_len = strlen(identity);
-    eapPeerConfig->anonymous_identity = (unsigned char *)anonymousIdentity;
-    eapPeerConfig->anonymous_identity_len = strlen(anonymousIdentity);
+    /* password */
     eapPeerConfig->password = (unsigned char *)cred->password.value;
     eapPeerConfig->password_len = cred->password.length;
 
@@ -250,12 +266,19 @@ static OM_uint32
 peerConfigFree(OM_uint32 *minor,
                gss_ctx_id_t ctx)
 {
-    krb5_context krbContext;
     struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
 
-    GSSEAP_KRB_INIT(&krbContext);
+    if (eapPeerConfig->identity != NULL) {
+        GSSEAP_FREE(eapPeerConfig->identity);
+        eapPeerConfig->identity = NULL;
+        eapPeerConfig->identity_len = 0;
+    }
 
-    krb5_free_unparsed_name(krbContext, (char *)eapPeerConfig->identity);
+    if (eapPeerConfig->anonymous_identity != NULL) {
+        GSSEAP_FREE(eapPeerConfig->anonymous_identity);
+        eapPeerConfig->anonymous_identity = NULL;
+        eapPeerConfig->anonymous_identity_len = 0;
+    }
 
     *minor = 0;
     return GSS_S_COMPLETE;
@@ -362,15 +385,10 @@ initBegin(OM_uint32 *minor,
         GSSEAP_MUTEX_UNLOCK(&target->mutex);
     }
 
-    if (mech == GSS_C_NULL_OID) {
-        major = gssEapDefaultMech(minor, &ctx->mechanismUsed);
-    } else if (gssEapIsConcreteMechanismOid(mech)) {
-        if (!gssEapInternalizeOid(mech, &ctx->mechanismUsed))
-            major = duplicateOid(minor, mech, &ctx->mechanismUsed);
-    } else {
-        major = GSS_S_BAD_MECH;
-        *minor = GSSEAP_WRONG_MECH;
-    }
+    major = gssEapCanonicalizeOid(minor,
+                                  mech,
+                                  OID_FLAG_NULL_VALID | OID_FLAG_MAP_NULL_TO_DEFAULT_MECH,
+                                  &ctx->mechanismUsed);
     if (GSS_ERROR(major))
         return major;
 
@@ -467,8 +485,8 @@ eapGssSmInitGssReauth(OM_uint32 *minor,
         goto cleanup;
 
     major = gssInitSecContext(minor,
-                              cred->krbCred,
-                              &ctx->kerberosCtx,
+                              cred->reauthCred,
+                              &ctx->reauthCtx,
                               mechTarget,
                               (gss_OID)gss_mech_krb5,
                               reqFlags | GSS_C_MUTUAL_FLAG,
@@ -558,7 +576,9 @@ eapGssSmInitAcceptorName(OM_uint32 *minor,
                ctx->acceptorName == GSS_C_NO_NAME) {
         /* Accept target name hint from acceptor */
         major = gssEapImportName(minor, inputToken,
-                                 GSS_C_NT_USER_NAME, &ctx->acceptorName);
+                                 GSS_C_NT_USER_NAME,
+                                 ctx->mechanismUsed,
+                                 &ctx->acceptorName);
         if (GSS_ERROR(major))
             return major;
     }
@@ -639,7 +659,7 @@ eapGssSmInitIdentity(OM_uint32 *minor,
         OM_uint32 tmpMinor;
 
         /* server didn't support reauthentication, sent EAP request */
-        gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
+        gssDeleteSecContext(&tmpMinor, &ctx->reauthCtx, GSS_C_NO_BUFFER);
         ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
         GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
     } else
@@ -758,6 +778,30 @@ cleanup:
 }
 
 static OM_uint32
+eapGssSmInitGssFlags(OM_uint32 *minor,
+                     gss_cred_id_t cred GSSEAP_UNUSED,
+                     gss_ctx_id_t ctx,
+                     gss_name_t target GSSEAP_UNUSED,
+                     gss_OID mech GSSEAP_UNUSED,
+                     OM_uint32 reqFlags GSSEAP_UNUSED,
+                     OM_uint32 timeReq GSSEAP_UNUSED,
+                     gss_channel_bindings_t chanBindings GSSEAP_UNUSED,
+                     gss_buffer_t inputToken GSSEAP_UNUSED,
+                     gss_buffer_t outputToken,
+                     OM_uint32 *smFlags GSSEAP_UNUSED)
+{
+    unsigned char wireFlags[4];
+    gss_buffer_desc flagsBuf;
+
+    store_uint32_be(ctx->gssFlags & GSSEAP_WIRE_FLAGS_MASK, wireFlags);
+
+    flagsBuf.length = sizeof(wireFlags);
+    flagsBuf.value = wireFlags;
+
+    return duplicateBuffer(minor, &flagsBuf, outputToken);
+}
+
+static OM_uint32
 eapGssSmInitGssChannelBindings(OM_uint32 *minor,
                                gss_cred_id_t cred GSSEAP_UNUSED,
                                gss_ctx_id_t ctx,
@@ -768,27 +812,19 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor,
                                gss_channel_bindings_t chanBindings,
                                gss_buffer_t inputToken GSSEAP_UNUSED,
                                gss_buffer_t outputToken,
-                               OM_uint32 *smFlags)
+                               OM_uint32 *smFlags GSSEAP_UNUSED)
 {
     OM_uint32 major;
-    gss_buffer_desc buffer = GSS_C_EMPTY_BUFFER;
-
-    if (ctx->flags & CTX_FLAG_KRB_REAUTH)
-        return GSS_S_CONTINUE_NEEDED;
 
-    if (chanBindings != GSS_C_NO_CHANNEL_BINDINGS)
-        buffer = chanBindings->application_data;
-
-    major = gssEapWrap(minor, ctx, TRUE, GSS_C_QOP_DEFAULT,
-                       &buffer, NULL, outputToken);
-    if (GSS_ERROR(major))
-        return major;
-
-    assert(outputToken->value != NULL);
+    if ((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0 &&
+        chanBindings != GSS_C_NO_CHANNEL_BINDINGS) {
+        major = gssEapWrap(minor, ctx, TRUE, GSS_C_QOP_DEFAULT,
+                           &chanBindings->application_data, NULL, outputToken);
+        if (GSS_ERROR(major))
+            return major;
+    }
 
     *minor = 0;
-    *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
-
     return GSS_S_CONTINUE_NEEDED;
 }
 
@@ -934,6 +970,13 @@ static struct gss_eap_sm eapGssInitiatorSm[] = {
     },
     {
         ITOK_TYPE_NONE,
+        ITOK_TYPE_GSS_FLAGS,
+        GSSEAP_STATE_INITIATOR_EXTS,
+        0,
+        eapGssSmInitGssFlags
+    },
+    {
+        ITOK_TYPE_NONE,
         ITOK_TYPE_GSS_CHANNEL_BINDINGS,
         GSSEAP_STATE_INITIATOR_EXTS,
         0,
@@ -982,6 +1025,7 @@ gss_init_sec_context(OM_uint32 *minor,
 {
     OM_uint32 major, tmpMinor;
     gss_ctx_id_t ctx = *context_handle;
+    int initialContextToken = 0;
 
     *minor = 0;
 
@@ -999,13 +1043,7 @@ gss_init_sec_context(OM_uint32 *minor,
             return major;
 
         ctx->flags |= CTX_FLAG_INITIATOR;
-
-        major = initBegin(minor, cred, ctx, target_name, mech_type,
-                          req_flags, time_req, input_chan_bindings);
-        if (GSS_ERROR(major)) {
-            gssEapReleaseContext(minor, &ctx);
-            return major;
-        }
+        initialContextToken = 1;
 
         *context_handle = ctx;
     }
@@ -1032,13 +1070,19 @@ gss_init_sec_context(OM_uint32 *minor,
 
     GSSEAP_MUTEX_LOCK(&cred->mutex);
 
-
     if ((cred->flags & CRED_FLAG_INITIATE) == 0) {
         major = GSS_S_NO_CRED;
         *minor = GSSEAP_CRED_USAGE_MISMATCH;
         goto cleanup;
     }
 
+    if (initialContextToken) {
+        major = initBegin(minor, cred, ctx, target_name, mech_type,
+                          req_flags, time_req, input_chan_bindings);
+        if (GSS_ERROR(major))
+            goto cleanup;
+    }
+
     major = gssEapSmStep(minor,
                          cred,
                          ctx,
@@ -1055,8 +1099,14 @@ gss_init_sec_context(OM_uint32 *minor,
         goto cleanup;
 
     if (actual_mech_type != NULL) {
-        if (!gssEapInternalizeOid(ctx->mechanismUsed, actual_mech_type))
-            duplicateOid(&tmpMinor, ctx->mechanismUsed, actual_mech_type);
+        OM_uint32 tmpMajor;
+
+        tmpMajor = gssEapCanonicalizeOid(&tmpMinor, ctx->mechanismUsed, 0, actual_mech_type);
+        if (GSS_ERROR(tmpMajor)) {
+            major = tmpMajor;
+            *minor = tmpMinor;
+            goto cleanup;
+        }
     }
     if (ret_flags != NULL)
         *ret_flags = ctx->gssFlags;
Core Moonshot code including mech_eap