return false;
/* We assume libradsec validated this for us */
- assert(pairfind(m_vps, PW_MESSAGE_AUTHENTICATOR) != NULL);
+ GSSEAP_ASSERT(pairfind(m_vps, PW_MESSAGE_AUTHENTICATOR) != NULL);
m_authenticated = true;
}
}
bool bInternalAttribute = false;
/* should have been filtered */
- assert(!isSecretAttributeP(attrid, vendor));
+ GSSEAP_ASSERT(!isSecretAttributeP(attrid, vendor));
switch (vendor) {
case VENDORPEC_UKERNA:
- bInternalAttribute = true;
+ switch (attrid) {
+ case PW_GSS_ACCEPTOR_SERVICE_NAME:
+ case PW_GSS_ACCEPTOR_HOST_NAME:
+ case PW_GSS_ACCEPTOR_SERVICE_SPECIFIC:
+ case PW_GSS_ACCEPTOR_REALM_NAME:
+ case PW_SAML_AAA_ASSERTION:
+ bInternalAttribute = true;
+ break;
+ default:
+ break;
+ }
break;
default:
break;
return isInternalAttributeP(ATTRID(attribute), VENDOR(attribute));
}
+static bool
+isFragmentedAttributeP(uint16_t attrid, uint16_t vendor)
+{
+ /* A bit of a hack for the PAC for now. Should be configurable. */
+ return (vendor == VENDORPEC_UKERNA) &&
+ !isInternalAttributeP(attrid, vendor);
+}
+
+static bool
+isFragmentedAttributeP(uint32_t attribute)
+{
+ return isFragmentedAttributeP(ATTRID(attribute), VENDOR(attribute));
+}
+
/*
* Copy AVP list, same as paircopy except it filters out attributes
* containing keys.
if (i == -1)
i = 0;
+ if (isSecretAttributeP(attrid) || isInternalAttributeP(attrid)) {
+ return false;
+ } else if (isFragmentedAttributeP(attrid)) {
+ return getFragmentedAttribute(attrid,
+ authenticated,
+ complete,
+ value);
+ }
+
for (vp = pairfind(m_vps, attrid);
vp != NULL;
vp = pairfind(vp->next, attrid)) {
duplicateBuffer(valueBuf, value);
}
- if (display_value != GSS_C_NO_BUFFER) {
+ if (display_value != GSS_C_NO_BUFFER &&
+ vp->type != PW_TYPE_OCTETS) {
char displayString[MAX_STRING_LEN];
gss_buffer_desc displayBuf;
}
bool
+gss_eap_radius_attr_provider::getFragmentedAttribute(uint32_t attrid,
+ int *authenticated,
+ int *complete,
+ gss_buffer_t value) const
+{
+ return getFragmentedAttribute(ATTRID(attrid), VENDOR(attrid),
+ authenticated, complete, value);
+}
+
+bool
gss_eap_radius_attr_provider::getAttribute(uint16_t attribute,
uint16_t vendor,
int *authenticated,
bool
gss_eap_radius_attr_provider::init(void)
{
- struct rs_context *radContext;
-
gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS, createAttrContext);
-#if 1
- /*
- * This hack is necessary in order to force the loading of the global
- * dictionary, otherwise accepting reauthentication tokens fails unless
- * the acceptor has already accepted a normal authentication token.
- */
- if (rs_context_create(&radContext) != 0)
- return false;
-
- if (rs_context_read_config(radContext, RS_CONFIG_FILE) != 0) {
- rs_context_destroy(radContext);
- return false;
- }
-
- if (rs_context_init_freeradius_dict(radContext, NULL)) {
- rs_context_destroy(radContext);
- return false;
- }
-
- rs_context_destroy(radContext);
-#endif
-
return true;
}
unsigned char *p;
uint32_t attr = VENDORATTR(vendor, attribute);
- buffer->length = 0;
- buffer->value = NULL;
+ if (buffer != GSS_C_NO_BUFFER) {
+ buffer->length = 0;
+ buffer->value = NULL;
+ }
vp = pairfind(vps, attr);
if (vp == NULL) {
return GSS_S_UNAVAILABLE;
}
- do {
- buffer->length += vp->length;
- } while (concat && (vp = pairfind(vp->next, attr)) != NULL);
+ if (buffer != GSS_C_NO_BUFFER) {
+ do {
+ buffer->length += vp->length;
+ } while (concat && (vp = pairfind(vp->next, attr)) != NULL);
- buffer->value = GSSEAP_MALLOC(buffer->length);
- if (buffer->value == NULL) {
- *minor = ENOMEM;
- return GSS_S_FAILURE;
- }
+ buffer->value = GSSEAP_MALLOC(buffer->length);
+ if (buffer->value == NULL) {
+ *minor = ENOMEM;
+ return GSS_S_FAILURE;
+ }
- p = (unsigned char *)buffer->value;
+ p = (unsigned char *)buffer->value;
- for (vp = pairfind(vps, attr);
- concat && vp != NULL;
- vp = pairfind(vp->next, attr)) {
- memcpy(p, vp->vp_octets, vp->length);
- p += vp->length;
+ for (vp = pairfind(vps, attr);
+ concat && vp != NULL;
+ vp = pairfind(vp->next, attr)) {
+ memcpy(p, vp->vp_octets, vp->length);
+ p += vp->length;
+ }
}
*minor = 0;
{
JSONObject obj;
- assert(vp->length <= MAX_STRING_LEN);
+ GSSEAP_ASSERT(vp->length <= MAX_STRING_LEN);
switch (vp->type) {
case PW_TYPE_INTEGER:
pNext = &vp->next;
}
- m_authenticated = obj["authenticated"].integer();
+ m_authenticated = obj["authenticated"].integer() ? true : false;
return true;
}
{
int code;
- assert(err != NULL);
+ GSSEAP_ASSERT(err != NULL);
code = rs_err_code(err, 0);
return GSS_S_FAILURE;
}
+
+OM_uint32
+gssEapCreateRadiusContext(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ struct rs_context **pRadContext)
+{
+ const char *configFile = RS_CONFIG_FILE;
+ struct rs_context *radContext;
+ struct rs_alloc_scheme ralloc;
+ struct rs_error *err;
+ OM_uint32 major;
+
+ *pRadContext = NULL;
+
+ if (rs_context_create(&radContext) != 0) {
+ *minor = GSSEAP_RADSEC_CONTEXT_FAILURE;
+ return GSS_S_FAILURE;
+ }
+
+ if (cred->radiusConfigFile.value != NULL)
+ configFile = (const char *)cred->radiusConfigFile.value;
+
+ ralloc.calloc = GSSEAP_CALLOC;
+ ralloc.malloc = GSSEAP_MALLOC;
+ ralloc.free = GSSEAP_FREE;
+ ralloc.realloc = GSSEAP_REALLOC;
+
+ rs_context_set_alloc_scheme(radContext, &ralloc);
+
+ if (rs_context_read_config(radContext, configFile) != 0) {
+ err = rs_err_ctx_pop(radContext);
+ goto fail;
+ }
+
+ if (rs_context_init_freeradius_dict(radContext, NULL) != 0) {
+ err = rs_err_ctx_pop(radContext);
+ goto fail;
+ }
+
+ *pRadContext = radContext;
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+
+fail:
+ major = gssEapRadiusMapError(minor, err);
+ rs_context_destroy(radContext);
+
+ return major;
+}