X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=accept_sec_context.c;h=bdf86eae114f7202635b29c98401202954aa8443;hb=38bac166b545aeea6e9c6d4da1deafa51581fe24;hp=8d12d42171890f3b62168dc358a6f0853646eee9;hpb=f539123f4aa77a2ed7738173c21e938f8ed1adab;p=mech_eap.orig diff --git a/accept_sec_context.c b/accept_sec_context.c index 8d12d42..bdf86ea 100644 --- a/accept_sec_context.c +++ b/accept_sec_context.c @@ -30,6 +30,11 @@ * SUCH DAMAGE. */ +/* + * Establish a security context on the acceptor (server). These functions + * wrap around libradsec and (thus) talk to a RADIUS server or proxy. + */ + #include "gssapiP_eap.h" #ifdef GSSEAP_ENABLE_REAUTH @@ -102,7 +107,11 @@ acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred) if (GSS_ERROR(major)) return major; - ctx->initiatorName->attrCtx = gssEapCreateAttrContext(cred, ctx); + major = gssEapCreateAttrContext(minor, cred, ctx, + &ctx->initiatorName->attrCtx, + &ctx->expiryTime); + if (GSS_ERROR(major)) + return major; *minor = 0; return GSS_S_COMPLETE; @@ -152,7 +161,7 @@ eapGssSmAcceptIdentity(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - ctx->state = EAP_STATE_AUTHENTICATE; + ctx->state = GSSEAP_STATE_AUTHENTICATE; *minor = 0; return GSS_S_CONTINUE_NEEDED; @@ -170,9 +179,9 @@ setAcceptorIdentity(OM_uint32 *minor, gss_buffer_desc nameBuf; krb5_context krbContext = NULL; krb5_principal krbPrinc; - struct rs_handle *rh = ctx->acceptorCtx.radHandle; + struct rs_context *rc = ctx->acceptorCtx.radContext; - assert(rh != NULL); + assert(rc != NULL); if (ctx->acceptorName == GSS_C_NO_NAME) { *minor = 0; @@ -188,10 +197,10 @@ setAcceptorIdentity(OM_uint32 *minor, krbPrinc = ctx->acceptorName->krbPrincipal; assert(krbPrinc != NULL); - assert(krb5_princ_size(krbContext, krbPrinc) >= 2); + assert(KRB_PRINC_LENGTH(krbPrinc) >= 2); /* Acceptor-Service-Name */ - krbDataToGssBuffer(krb5_princ_component(krbContext, krbPrinc, 0), &nameBuf); + krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf); major = gssEapRadiusAddAvp(minor, vps, PW_GSS_ACCEPTOR_SERVICE_NAME, @@ -201,7 +210,7 @@ setAcceptorIdentity(OM_uint32 *minor, return major; /* Acceptor-Host-Name */ - krbDataToGssBuffer(krb5_princ_component(krbContext, krbPrinc, 1), &nameBuf); + krbPrincComponentToGssBuffer(krbPrinc, 1, &nameBuf); major = gssEapRadiusAddAvp(minor, vps, PW_GSS_ACCEPTOR_HOST_NAME, @@ -210,13 +219,13 @@ setAcceptorIdentity(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - if (krb5_princ_size(krbContext, krbPrinc) > 2) { + if (KRB_PRINC_LENGTH(krbPrinc) > 2) { /* Acceptor-Service-Specific */ krb5_principal_data ssiPrinc = *krbPrinc; char *ssi; - krb5_princ_size(krbContext, &ssiPrinc) -= 2; - krb5_princ_name(krbContext, &ssiPrinc) += 2; + KRB_PRINC_LENGTH(&ssiPrinc) -= 2; + KRB_PRINC_NAME(&ssiPrinc) += 2; *minor = krb5_unparse_name_flags(krbContext, &ssiPrinc, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &ssi); @@ -238,7 +247,7 @@ setAcceptorIdentity(OM_uint32 *minor, krb5_free_unparsed_name(krbContext, ssi); } - krbDataToGssBuffer(krb5_princ_realm(krbContext, krbPrinc), &nameBuf); + krbPrincRealmToGssBuffer(krbPrinc, &nameBuf); if (nameBuf.length != 0) { /* Acceptor-Realm-Name */ major = gssEapRadiusAddAvp(minor, vps, @@ -267,10 +276,10 @@ createRadiusHandle(OM_uint32 *minor, struct rs_alloc_scheme ralloc; struct rs_error *err; - assert(actx->radHandle == NULL); + assert(actx->radContext == NULL); assert(actx->radConn == NULL); - if (rs_context_create(&actx->radHandle, RS_DICT_FILE) != 0) { + if (rs_context_create(&actx->radContext, RS_DICT_FILE) != 0) { *minor = GSSEAP_RADSEC_CONTEXT_FAILURE; return GSS_S_FAILURE; } @@ -287,27 +296,24 @@ createRadiusHandle(OM_uint32 *minor, ralloc.free = GSSEAP_FREE; ralloc.realloc = GSSEAP_REALLOC; - rs_context_set_alloc_scheme(actx->radHandle, &ralloc); + rs_context_set_alloc_scheme(actx->radContext, &ralloc); - if (rs_context_read_config(actx->radHandle, configFile) != 0) { - err = rs_err_ctx_pop(actx->radHandle); + if (rs_context_read_config(actx->radContext, configFile) != 0) { + err = rs_err_ctx_pop(actx->radContext); goto fail; } - if (rs_conn_create(actx->radHandle, &actx->radConn, configStanza) != 0) { + if (rs_conn_create(actx->radContext, &actx->radConn, configStanza) != 0) { err = rs_err_conn_pop(actx->radConn); goto fail; } - /* XXX TODO rs_conn_select_server does not exist yet */ -#if 0 if (actx->radServer != NULL) { if (rs_conn_select_server(actx->radConn, actx->radServer) != 0) { err = rs_err_conn_pop(actx->radConn); goto fail; } } -#endif *minor = 0; return GSS_S_COMPLETE; @@ -328,14 +334,13 @@ eapGssSmAcceptAuthenticate(OM_uint32 *minor, gss_buffer_t outputToken) { OM_uint32 major, tmpMinor; - struct rs_handle *rh; struct rs_connection *rconn; struct rs_request *request = NULL; struct rs_packet *req = NULL, *resp = NULL; struct radius_packet *frreq, *frresp; int sendAcceptorIdentity = 0; - if (ctx->acceptorCtx.radHandle == NULL) { + if (ctx->acceptorCtx.radContext == NULL) { /* May be NULL from an imported partial context */ major = createRadiusHandle(minor, cred, ctx); if (GSS_ERROR(major)) @@ -344,7 +349,6 @@ eapGssSmAcceptAuthenticate(OM_uint32 *minor, sendAcceptorIdentity = 1; } - rh = ctx->acceptorCtx.radHandle; rconn = ctx->acceptorCtx.radConn; if (rs_packet_create_acc_request(rconn, &req, NULL, NULL) != 0) { @@ -424,7 +428,7 @@ eapGssSmAcceptAuthenticate(OM_uint32 *minor, if (GSS_ERROR(major)) goto cleanup; - ctx->state = EAP_STATE_EXTENSIONS_REQ; + ctx->state = GSSEAP_STATE_EXTENSIONS_REQ; } *minor = 0; @@ -453,7 +457,7 @@ eapGssSmAcceptExtensionsReq(OM_uint32 *minor, outputToken->length = 0; outputToken->value = NULL; - ctx->state = EAP_STATE_EXTENSIONS_RESP; + ctx->state = GSSEAP_STATE_EXTENSIONS_RESP; *minor = 0; return GSS_S_CONTINUE_NEEDED; @@ -473,7 +477,7 @@ eapGssSmAcceptExtensionsResp(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - ctx->state = EAP_STATE_ESTABLISHED; + ctx->state = GSSEAP_STATE_ESTABLISHED; *minor = 0; return GSS_S_COMPLETE; @@ -507,29 +511,12 @@ makeErrorToken(OM_uint32 *minor, * Only return error codes that the initiator could have caused, * to avoid information leakage. */ - switch (minorStatus) { - case GSSEAP_WRONG_SIZE: - case GSSEAP_WRONG_MECH: - case GSSEAP_BAD_TOK_HEADER: - case GSSEAP_TOK_TRUNC: - case GSSEAP_BAD_DIRECTION: - case GSSEAP_WRONG_TOK_ID: - case GSSEAP_REFLECT: - case GSSEAP_CRIT_EXT_UNAVAILABLE: - case GSSEAP_MISSING_REQUIRED_EXT: - case GSSEAP_KEY_UNAVAILABLE: - case GSSEAP_KEY_TOO_SHORT: - case GSSEAP_RADIUS_AUTH_FAILURE: - case GSSEAP_UNKNOWN_RADIUS_CODE: - case GSSEAP_MISSING_EAP_REQUEST: - break; - default: - if (IS_RADIUS_ERROR(minorStatus)) - /* Squash RADIUS error codes */ - minorStatus = GSSEAP_GENERIC_RADIUS_ERROR; - else - /* Don't return system error codes */ - return GSS_S_COMPLETE; + if (IS_RADIUS_ERROR(minorStatus)) { + /* Squash RADIUS error codes */ + minorStatus = GSSEAP_RADIUS_PROT_FAILURE; + } else if (!IS_WIRE_ERROR(minorStatus)) { + /* Don't return non-wire error codes */ + return GSS_S_COMPLETE; } minorStatus -= ERROR_TABLE_BASE_eapg; @@ -639,7 +626,7 @@ gss_accept_sec_context(OM_uint32 *minor, * machine and process Kerberos GSS messages instead. */ if (tokType == TOK_TYPE_GSS_REAUTH && initialContextToken) { - ctx->state = EAP_STATE_KRB_REAUTH_GSS; + ctx->state = GSSEAP_STATE_KRB_REAUTH; } else #endif if (tokType != sm->inputTokenType) { @@ -665,7 +652,7 @@ gss_accept_sec_context(OM_uint32 *minor, goto cleanup; } - sm = &eapGssAcceptorSm[EAP_STATE_ERROR]; + sm = &eapGssAcceptorSm[GSSEAP_STATE_ERROR]; goto send_token; } } while (major == GSS_S_CONTINUE_NEEDED && innerOutputToken.length == 0); @@ -692,7 +679,7 @@ gss_accept_sec_context(OM_uint32 *minor, } } - assert(ctx->state == EAP_STATE_ESTABLISHED || major == GSS_S_CONTINUE_NEEDED); + assert(ctx->state == GSSEAP_STATE_ESTABLISHED || major == GSS_S_CONTINUE_NEEDED); send_token: if (innerOutputToken.value != NULL) { @@ -729,7 +716,7 @@ acceptReadyKrb(OM_uint32 *minor, { OM_uint32 major; - major = gssEapGlueToMechName(minor, initiator, &ctx->initiatorName); + major = gssEapGlueToMechName(minor, ctx, initiator, &ctx->initiatorName); if (GSS_ERROR(major)) return major; @@ -743,7 +730,7 @@ acceptReadyKrb(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - ctx->state = EAP_STATE_ESTABLISHED; + ctx->state = GSSEAP_STATE_ESTABLISHED; *minor = 0; return GSS_S_COMPLETE; @@ -763,7 +750,7 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor, gss_OID mech = GSS_C_NO_OID; OM_uint32 gssFlags, timeRec = GSS_C_INDEFINITE; - ctx->flags |= CTX_FLAG_KRB_REAUTH_GSS; + ctx->flags |= CTX_FLAG_KRB_REAUTH; if (cred != GSS_C_NO_CREDENTIAL) krbCred = cred->krbCred;