X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2Faccept_sec_context.c;h=b594af0abd9d857a26dd2ce29e08e19ec0b86d5b;hb=3f993b33bfbccc6ac801d665a3d77a6f911ff74a;hp=a3637951ba34cb7cbd4f7c48dd2ae88aded53297;hpb=a7f15190816b74c00ce45d6659a298ad04ed3160;p=mech_eap.git diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c index a363795..b594af0 100644 --- a/mech_eap/accept_sec_context.c +++ b/mech_eap/accept_sec_context.c @@ -42,7 +42,7 @@ static OM_uint32 eapGssSmAcceptGssReauth(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target, + gss_const_name_t target, gss_OID mech, OM_uint32 reqFlags, OM_uint32 timeReq, @@ -135,7 +135,7 @@ static OM_uint32 eapGssSmAcceptAcceptorName(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -164,7 +164,7 @@ static OM_uint32 eapGssSmAcceptVendorInfo(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx GSSEAP_UNUSED, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -190,7 +190,7 @@ static OM_uint32 eapGssSmAcceptIdentity(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -483,7 +483,7 @@ eapGssAcceptHandleReject(OM_uint32 *minor, gssEapSaveStatusInfo(*minor, "%s: %.*s", error_message(*minor), reply_length, reply_message); else - gssEapSaveStatusInfo( *minor, "%s", error_message(*minor)); + gssEapSaveStatusInfo(*minor, "%s", error_message(*minor)); return GSS_S_DEFECTIVE_CREDENTIAL; } @@ -495,7 +495,7 @@ static OM_uint32 eapGssSmAcceptAuthenticate(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -640,7 +640,7 @@ static OM_uint32 eapGssSmAcceptGssFlags(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -674,7 +674,7 @@ static OM_uint32 eapGssSmAcceptGssChannelBindings(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -688,6 +688,9 @@ eapGssSmAcceptGssChannelBindings(OM_uint32 *minor, krb5_data data; krb5_checksum cksum; krb5_boolean valid = FALSE; +#ifdef HAVE_HEIMDAL_VERSION + krb5_crypto krbCrypto; +#endif if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS || chanBindings->application_data.length == 0) @@ -701,9 +704,29 @@ eapGssSmAcceptGssChannelBindings(OM_uint32 *minor, KRB_CHECKSUM_INIT(&cksum, ctx->checksumType, inputToken); +#ifdef HAVE_HEIMDAL_VERSION + code = krb5_crypto_init(krbContext, &ctx->rfc3961Key, 0, &krbCrypto); + if (code != 0) { + *minor = code; + return GSS_S_FAILURE; + } + + code = krb5_verify_checksum(krbContext, krbCrypto, + KEY_USAGE_GSSEAP_CHBIND_MIC, + data.data, data.length, &cksum); + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) { + code = 0; + valid = FALSE; + } else if (code == 0) { + valid = TRUE; + } + + krb5_crypto_destroy(krbContext, krbCrypto); +#else code = krb5_c_verify_checksum(krbContext, &ctx->rfc3961Key, KEY_USAGE_GSSEAP_CHBIND_MIC, &data, &cksum, &valid); +#endif /* HAVE_HEIMDAL_VERSION */ if (code != 0) { *minor = code; return GSS_S_FAILURE; @@ -724,7 +747,7 @@ static OM_uint32 eapGssSmAcceptInitiatorMIC(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -764,7 +787,7 @@ static OM_uint32 eapGssSmAcceptReauthCreds(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -793,7 +816,7 @@ static OM_uint32 eapGssSmAcceptAcceptorMIC(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1022,7 +1045,7 @@ static OM_uint32 eapGssSmAcceptGssReauth(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, + gss_const_name_t target GSSEAP_UNUSED, gss_OID mech, OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq GSSEAP_UNUSED, @@ -1080,7 +1103,11 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor, OM_uint32 GSSAPI_CALLCONV gss_accept_sec_context(OM_uint32 *minor, gss_ctx_id_t *context_handle, +#ifdef HAVE_HEIMDAL_VERSION + gss_const_cred_id_t cred, +#else gss_cred_id_t cred, +#endif gss_buffer_t input_token, gss_channel_bindings_t input_chan_bindings, gss_name_t *src_name, @@ -1118,7 +1145,7 @@ gss_accept_sec_context(OM_uint32 *minor, major = gssEapAcceptSecContext(minor, ctx, - cred, + (gss_cred_id_t)cred, input_token, input_chan_bindings, src_name, @@ -1134,5 +1161,6 @@ gss_accept_sec_context(OM_uint32 *minor, gssEapReleaseContext(&tmpMinor, context_handle); gssEapTraceStatus("gss_accept_sec_context", major, *minor); + return major; }