X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=accept_sec_context.c;h=d7a4708ff04fba50b529a5ebc9858262c7736cb4;hb=163856b1a70d7773c46d4ea5495b85c4dce0f089;hp=4406638a922b4f5aa0cbfd6a6a302612c5ffb3ab;hpb=0cb1b7ee2a4af74685bc3c14d3c0141fc76610da;p=mech_eap.orig diff --git a/accept_sec_context.c b/accept_sec_context.c index 4406638..d7a4708 100644 --- a/accept_sec_context.c +++ b/accept_sec_context.c @@ -108,7 +108,8 @@ acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred) return major; major = gssEapCreateAttrContext(minor, cred, ctx, - &ctx->initiatorName->attrCtx); + &ctx->initiatorName->attrCtx, + &ctx->expiryTime); if (GSS_ERROR(major)) return major; @@ -160,7 +161,7 @@ eapGssSmAcceptIdentity(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - ctx->state = EAP_STATE_AUTHENTICATE; + ctx->state = GSSEAP_STATE_AUTHENTICATE; *minor = 0; return GSS_S_CONTINUE_NEEDED; @@ -196,10 +197,10 @@ setAcceptorIdentity(OM_uint32 *minor, krbPrinc = ctx->acceptorName->krbPrincipal; assert(krbPrinc != NULL); - assert(krb5_princ_size(krbContext, krbPrinc) >= 2); + assert(KRB_PRINC_LENGTH(krbPrinc) >= 2); /* Acceptor-Service-Name */ - krbDataToGssBuffer(krb5_princ_component(krbContext, krbPrinc, 0), &nameBuf); + krbPrincComponentToGssBuffer(krbPrinc, 0, &nameBuf); major = gssEapRadiusAddAvp(minor, vps, PW_GSS_ACCEPTOR_SERVICE_NAME, @@ -209,7 +210,7 @@ setAcceptorIdentity(OM_uint32 *minor, return major; /* Acceptor-Host-Name */ - krbDataToGssBuffer(krb5_princ_component(krbContext, krbPrinc, 1), &nameBuf); + krbPrincComponentToGssBuffer(krbPrinc, 1, &nameBuf); major = gssEapRadiusAddAvp(minor, vps, PW_GSS_ACCEPTOR_HOST_NAME, @@ -218,13 +219,13 @@ setAcceptorIdentity(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - if (krb5_princ_size(krbContext, krbPrinc) > 2) { + if (KRB_PRINC_LENGTH(krbPrinc) > 2) { /* Acceptor-Service-Specific */ krb5_principal_data ssiPrinc = *krbPrinc; char *ssi; - krb5_princ_size(krbContext, &ssiPrinc) -= 2; - krb5_princ_name(krbContext, &ssiPrinc) += 2; + KRB_PRINC_LENGTH(&ssiPrinc) -= 2; + KRB_PRINC_NAME(&ssiPrinc) += 2; *minor = krb5_unparse_name_flags(krbContext, &ssiPrinc, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &ssi); @@ -246,7 +247,7 @@ setAcceptorIdentity(OM_uint32 *minor, krb5_free_unparsed_name(krbContext, ssi); } - krbDataToGssBuffer(krb5_princ_realm(krbContext, krbPrinc), &nameBuf); + krbPrincRealmToGssBuffer(krbPrinc, &nameBuf); if (nameBuf.length != 0) { /* Acceptor-Realm-Name */ major = gssEapRadiusAddAvp(minor, vps, @@ -427,7 +428,7 @@ eapGssSmAcceptAuthenticate(OM_uint32 *minor, if (GSS_ERROR(major)) goto cleanup; - ctx->state = EAP_STATE_EXTENSIONS_REQ; + ctx->state = GSSEAP_STATE_EXTENSIONS_REQ; } *minor = 0; @@ -456,7 +457,7 @@ eapGssSmAcceptExtensionsReq(OM_uint32 *minor, outputToken->length = 0; outputToken->value = NULL; - ctx->state = EAP_STATE_EXTENSIONS_RESP; + ctx->state = GSSEAP_STATE_EXTENSIONS_RESP; *minor = 0; return GSS_S_CONTINUE_NEEDED; @@ -476,7 +477,7 @@ eapGssSmAcceptExtensionsResp(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - ctx->state = EAP_STATE_ESTABLISHED; + ctx->state = GSSEAP_STATE_ESTABLISHED; *minor = 0; return GSS_S_COMPLETE; @@ -510,28 +511,12 @@ makeErrorToken(OM_uint32 *minor, * Only return error codes that the initiator could have caused, * to avoid information leakage. */ - switch (minorStatus) { - case GSSEAP_WRONG_SIZE: - case GSSEAP_WRONG_MECH: - case GSSEAP_BAD_TOK_HEADER: - case GSSEAP_TOK_TRUNC: - case GSSEAP_BAD_DIRECTION: - case GSSEAP_WRONG_TOK_ID: - case GSSEAP_CRIT_EXT_UNAVAILABLE: - case GSSEAP_MISSING_REQUIRED_EXT: - case GSSEAP_KEY_UNAVAILABLE: - case GSSEAP_KEY_TOO_SHORT: - case GSSEAP_RADIUS_AUTH_FAILURE: - case GSSEAP_UNKNOWN_RADIUS_CODE: - case GSSEAP_MISSING_EAP_REQUEST: - break; - default: - if (IS_RADIUS_ERROR(minorStatus)) - /* Squash RADIUS error codes */ - minorStatus = GSSEAP_RADIUS_PROT_FAILURE; - else - /* Don't return system error codes */ - return GSS_S_COMPLETE; + if (IS_RADIUS_ERROR(minorStatus)) { + /* Squash RADIUS error codes */ + minorStatus = GSSEAP_RADIUS_PROT_FAILURE; + } else if (!IS_WIRE_ERROR(minorStatus)) { + /* Don't return non-wire error codes */ + return GSS_S_COMPLETE; } minorStatus -= ERROR_TABLE_BASE_eapg; @@ -641,7 +626,7 @@ gss_accept_sec_context(OM_uint32 *minor, * machine and process Kerberos GSS messages instead. */ if (tokType == TOK_TYPE_GSS_REAUTH && initialContextToken) { - ctx->state = EAP_STATE_KRB_REAUTH_GSS; + ctx->state = GSSEAP_STATE_KRB_REAUTH; } else #endif if (tokType != sm->inputTokenType) { @@ -667,7 +652,7 @@ gss_accept_sec_context(OM_uint32 *minor, goto cleanup; } - sm = &eapGssAcceptorSm[EAP_STATE_ERROR]; + sm = &eapGssAcceptorSm[GSSEAP_STATE_ERROR]; goto send_token; } } while (major == GSS_S_CONTINUE_NEEDED && innerOutputToken.length == 0); @@ -694,7 +679,7 @@ gss_accept_sec_context(OM_uint32 *minor, } } - assert(ctx->state == EAP_STATE_ESTABLISHED || major == GSS_S_CONTINUE_NEEDED); + assert(ctx->state == GSSEAP_STATE_ESTABLISHED || major == GSS_S_CONTINUE_NEEDED); send_token: if (innerOutputToken.value != NULL) { @@ -745,7 +730,7 @@ acceptReadyKrb(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - ctx->state = EAP_STATE_ESTABLISHED; + ctx->state = GSSEAP_STATE_ESTABLISHED; *minor = 0; return GSS_S_COMPLETE; @@ -765,7 +750,7 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor, gss_OID mech = GSS_C_NO_OID; OM_uint32 gssFlags, timeRec = GSS_C_INDEFINITE; - ctx->flags |= CTX_FLAG_KRB_REAUTH_GSS; + ctx->flags |= CTX_FLAG_KRB_REAUTH; if (cred != GSS_C_NO_CREDENTIAL) krbCred = cred->krbCred;