/*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* SUCH DAMAGE.
*/
+/*
+ * Utility routines for context handles.
+ */
+
#include "gssapiP_eap.h"
OM_uint32
return GSS_S_FAILURE;
}
- *minor = krb5_init_context(&ctx->kerberosCtx);
- if (*minor != 0) {
+ if (GSSEAP_MUTEX_INIT(&ctx->mutex) != 0) {
+ *minor = errno;
gssEapReleaseContext(&tmpMinor, &ctx);
return GSS_S_FAILURE;
}
+ ctx->state = GSSEAP_STATE_INITIAL;
+
+ /*
+ * Integrity, confidentiality, sequencing and replay detection are
+ * always available. Regardless of what flags are requested in
+ * GSS_Init_sec_context, implementations MUST set the flag corresponding
+ * to these services in the output of GSS_Init_sec_context and
+ * GSS_Accept_sec_context.
+ */
+ ctx->gssFlags = GSS_C_TRANS_FLAG | /* exporting contexts */
+ GSS_C_INTEG_FLAG | /* integrity */
+ GSS_C_CONF_FLAG | /* confidentiality */
+ GSS_C_SEQUENCE_FLAG | /* sequencing */
+ GSS_C_REPLAY_FLAG; /* replay detection */
+
*pCtx = ctx;
return GSS_S_COMPLETE;
}
static void
-releaseInitiatorContext(struct eap_gss_initiator_ctx *ctx)
+releaseInitiatorContext(struct gss_eap_initiator_ctx *ctx)
{
eap_peer_sm_deinit(ctx->eap);
- wpabuf_free(ctx->eapReqData);
}
static void
-releaseAcceptorContext(struct eap_gss_acceptor_ctx *ctx)
+releaseAcceptorContext(struct gss_eap_acceptor_ctx *ctx)
{
+ OM_uint32 tmpMinor;
+
+ if (ctx->radConn != NULL)
+ rs_conn_destroy(ctx->radConn);
+ if (ctx->radContext != NULL)
+ rs_context_destroy(ctx->radContext);
+ if (ctx->radServer != NULL)
+ GSSEAP_FREE(ctx->radServer);
+ gss_release_buffer(&tmpMinor, &ctx->state);
+ if (ctx->vps != NULL)
+ gssEapRadiusFreeAvps(&tmpMinor, &ctx->vps);
}
OM_uint32
gssEapReleaseContext(OM_uint32 *minor,
gss_ctx_id_t *pCtx)
{
- OM_uint32 major, tmpMinor;
+ OM_uint32 tmpMinor;
gss_ctx_id_t ctx = *pCtx;
+ krb5_context krbContext = NULL;
if (ctx == GSS_C_NO_CONTEXT) {
return GSS_S_COMPLETE;
}
+ gssEapKerberosInit(&tmpMinor, &krbContext);
+
+#ifdef GSSEAP_ENABLE_REAUTH
+ if (ctx->flags & CTX_FLAG_KRB_REAUTH) {
+ gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
+ } else
+#endif
if (CTX_IS_INITIATOR(ctx)) {
releaseInitiatorContext(&ctx->initiatorCtx);
} else {
releaseAcceptorContext(&ctx->acceptorCtx);
}
- if (ctx->rfc3961Key != NULL) {
- krb5_free_keyblock(ctx->kerberosCtx, ctx->rfc3961Key);
- }
-
- if (ctx->kerberosCtx != NULL) {
- krb5_free_context(ctx->kerberosCtx);
- }
-
+ krb5_free_keyblock_contents(krbContext, &ctx->rfc3961Key);
gssEapReleaseName(&tmpMinor, &ctx->initiatorName);
gssEapReleaseName(&tmpMinor, &ctx->acceptorName);
- gss_release_oid(&tmpMinor, &ctx->mechanismUsed);
- sequenceFree(ctx->seqState);
+ gssEapReleaseOid(&tmpMinor, &ctx->mechanismUsed);
+ sequenceFree(&tmpMinor, &ctx->seqState);
+ gssEapReleaseCred(&tmpMinor, &ctx->defaultCred);
+ gss_release_buffer(&tmpMinor, &ctx->conversation);
+
+ GSSEAP_MUTEX_DESTROY(&ctx->mutex);
memset(ctx, 0, sizeof(*ctx));
GSSEAP_FREE(ctx);
*minor = 0;
return GSS_S_COMPLETE;
}
+
+OM_uint32
+gssEapContextTime(OM_uint32 *minor,
+ gss_ctx_id_t context_handle,
+ OM_uint32 *time_rec)
+{
+ *minor = 0;
+
+ if (context_handle->expiryTime == 0) {
+ *time_rec = GSS_C_INDEFINITE;
+ } else {
+ time_t now, lifetime;
+
+ time(&now);
+ lifetime = context_handle->expiryTime - now;
+ if (lifetime <= 0) {
+ *time_rec = 0;
+ return GSS_S_CONTEXT_EXPIRED;
+ }
+ *time_rec = lifetime;
+ }
+
+ return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gssEapGetConversationMIC(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ gss_buffer_t convMIC)
+{
+ OM_uint32 major;
+ gss_iov_buffer_desc iov[2];
+
+ iov[0].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[0].buffer = ctx->conversation;
+
+ iov[1].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
+ iov[1].buffer.length = 0;
+ iov[1].buffer.value = NULL;
+
+ major = gssEapWrapOrGetMIC(minor, ctx, FALSE, NULL, iov, 2, TOK_TYPE_MIC);
+ if (GSS_ERROR(major))
+ return major;
+
+ *convMIC = iov[1].buffer;
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gssEapVerifyConversationMIC(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ const gss_buffer_t convMIC)
+{
+ OM_uint32 major;
+ gss_iov_buffer_desc iov[3];
+ int confState;
+ size_t tokenHeaderLength;
+
+ if (convMIC == GSS_C_NO_BUFFER || convMIC->length < 16) {
+ *minor = GSSEAP_TOK_TRUNC;
+ return GSS_S_BAD_SIG;
+ }
+
+ iov[0].type = GSS_IOV_BUFFER_TYPE_DATA;
+ iov[0].buffer = ctx->conversation;
+
+ /*
+ * The conversation state already includes the MIC and its
+ * TLV header, as well as a header for emiting a subsequent
+ * token. These should not be included as input to verifyMIC.
+ */
+ tokenHeaderLength = ITOK_HEADER_LENGTH + convMIC->length
+ + 2 + ctx->mechanismUsed->length + 2;
+ assert(ctx->conversation.length >= tokenHeaderLength);
+ iov[0].buffer.length -= tokenHeaderLength;
+
+ iov[1].type = GSS_IOV_BUFFER_TYPE_HEADER;
+ iov[1].buffer.length = 16;
+ iov[1].buffer.value = convMIC->value;
+
+ iov[2].type = GSS_IOV_BUFFER_TYPE_TRAILER;
+ iov[2].buffer.length = convMIC->length - 16;
+ iov[2].buffer.value = (unsigned char *)convMIC->value + 16;
+
+ major = gssEapUnwrapOrVerifyMIC(minor, ctx, &confState, NULL,
+ iov, 3, TOK_TYPE_MIC);
+
+
+ return major;
+}
+
+OM_uint32
+gssEapMakeTokenChannelBindings(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ gss_channel_bindings_t userChanBindings,
+ gss_buffer_t inputToken,
+ gss_channel_bindings_t wireChanBindings)
+{
+ gss_buffer_t wireData = &wireChanBindings->application_data;
+ unsigned char *p;
+ size_t tokenHeaderLength = 0;
+
+ memset(wireChanBindings, 0, sizeof(*wireChanBindings));
+
+ if (!CTX_IS_INITIATOR(ctx)) {
+ assert(inputToken != GSS_C_NO_BUFFER);
+
+ tokenHeaderLength = ITOK_HEADER_LENGTH + inputToken->length +
+ 2 + ctx->mechanismUsed->length + 2;
+ assert(ctx->conversation.length >= tokenHeaderLength);
+ }
+
+ wireData->length = ctx->conversation.length - tokenHeaderLength;
+
+ if (userChanBindings != GSS_C_NO_CHANNEL_BINDINGS)
+ wireData->length += userChanBindings->application_data.length;
+
+ wireData->value = GSSEAP_MALLOC(wireData->length);
+ if (wireData->value == NULL) {
+ *minor = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ p = (unsigned char *)wireData->value;
+
+ memcpy(p, ctx->conversation.value, ctx->conversation.length - tokenHeaderLength);
+ p += ctx->conversation.length - tokenHeaderLength;
+
+ if (userChanBindings != GSS_C_NO_CHANNEL_BINDINGS) {
+ memcpy(p, userChanBindings->application_data.value,
+ userChanBindings->application_data.length);
+ p += userChanBindings->application_data.length;
+ }
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+}