X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2Finit_sec_context.c;h=23795fc738911e6d5a7f2cf3449c6c3104670375;hb=9c9f46eeed8ecbd816732d49d3f6ba9a5649fe71;hp=930eb32600cbe44037e1caf4b9a62a8a508751dc;hpb=fa210a112d16848a282d662f16f9b8589dd371df;p=mech_eap.orig diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c index 930eb32..23795fc 100644 --- a/mech_eap/init_sec_context.c +++ b/mech_eap/init_sec_context.c @@ -195,15 +195,14 @@ extern int wpa_debug_level; #endif static OM_uint32 -peerConfigInit(OM_uint32 *minor, - gss_cred_id_t cred, - gss_ctx_id_t ctx) +peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) { OM_uint32 major; krb5_context krbContext; struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig; gss_buffer_desc identity = GSS_C_EMPTY_BUFFER; gss_buffer_desc realm = GSS_C_EMPTY_BUFFER; + gss_cred_id_t cred = ctx->cred; eapPeerConfig->identity = NULL; eapPeerConfig->identity_len = 0; @@ -254,6 +253,11 @@ peerConfigInit(OM_uint32 *minor, eapPeerConfig->password = (unsigned char *)cred->password.value; eapPeerConfig->password_len = cred->password.length; + /* certs */ + eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value; + eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value; + eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value; + *minor = 0; return GSS_S_COMPLETE; } @@ -341,7 +345,6 @@ initReady(OM_uint32 *minor, gss_ctx_id_t ctx, OM_uint32 reqFlags) static OM_uint32 initBegin(OM_uint32 *minor, - gss_cred_id_t cred, gss_ctx_id_t ctx, gss_name_t target, gss_OID mech, @@ -350,6 +353,7 @@ initBegin(OM_uint32 *minor, gss_channel_bindings_t chanBindings GSSEAP_UNUSED) { OM_uint32 major; + gss_cred_id_t cred = ctx->cred; assert(cred != GSS_C_NO_CREDENTIAL); @@ -634,7 +638,7 @@ eapGssSmInitIdentity(OM_uint32 *minor, static OM_uint32 eapGssSmInitAuthenticate(OM_uint32 *minor, - gss_cred_id_t cred, + gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, gss_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, @@ -647,14 +651,13 @@ eapGssSmInitAuthenticate(OM_uint32 *minor, { OM_uint32 major; OM_uint32 tmpMinor; - int code; struct wpabuf *resp = NULL; *minor = 0; assert(inputToken != GSS_C_NO_BUFFER); - major = peerConfigInit(minor, cred, ctx); + major = peerConfigInit(minor, ctx); if (GSS_ERROR(major)) goto cleanup; @@ -668,7 +671,7 @@ eapGssSmInitAuthenticate(OM_uint32 *minor, major = GSS_S_CONTINUE_NEEDED; - code = eap_peer_sm_step(ctx->initiatorCtx.eap); + eap_peer_sm_step(ctx->initiatorCtx.eap); if (ctx->flags & CTX_FLAG_EAP_RESP) { ctx->flags &= ~(CTX_FLAG_EAP_RESP); @@ -715,6 +718,30 @@ cleanup: } static OM_uint32 +eapGssSmInitGssFlags(OM_uint32 *minor, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, + gss_buffer_t outputToken, + OM_uint32 *smFlags GSSEAP_UNUSED) +{ + unsigned char wireFlags[4]; + gss_buffer_desc flagsBuf; + + store_uint32_be(ctx->gssFlags & GSSEAP_WIRE_FLAGS_MASK, wireFlags); + + flagsBuf.length = sizeof(wireFlags); + flagsBuf.value = wireFlags; + + return duplicateBuffer(minor, &flagsBuf, outputToken); +} + +static OM_uint32 eapGssSmInitGssChannelBindings(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, @@ -746,6 +773,33 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor, return GSS_S_CONTINUE_NEEDED; } +static OM_uint32 +eapGssSmInitInitiatorMIC(OM_uint32 *minor, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, + gss_buffer_t outputToken, + OM_uint32 *smFlags) +{ + OM_uint32 major; + + major = gssEapMakeTokenMIC(minor, ctx, outputToken); + if (GSS_ERROR(major)) + return major; + + GSSEAP_SM_TRANSITION_NEXT(ctx); + + *minor = 0; + *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL; + + return GSS_S_CONTINUE_NEEDED; +} + #ifdef GSSEAP_ENABLE_REAUTH static OM_uint32 eapGssSmInitReauthCreds(OM_uint32 *minor, @@ -774,39 +828,24 @@ eapGssSmInitReauthCreds(OM_uint32 *minor, #endif /* GSSEAP_ENABLE_REAUTH */ static OM_uint32 -eapGssSmInitCompleteInitiatorExts(OM_uint32 *minor, - gss_cred_id_t cred GSSEAP_UNUSED, - gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, - gss_OID mech GSSEAP_UNUSED, - OM_uint32 reqFlags GSSEAP_UNUSED, - OM_uint32 timeReq GSSEAP_UNUSED, - gss_channel_bindings_t chanBindings GSSEAP_UNUSED, - gss_buffer_t inputToken GSSEAP_UNUSED, - gss_buffer_t outputToken GSSEAP_UNUSED, - OM_uint32 *smFlags) +eapGssSmInitAcceptorMIC(OM_uint32 *minor, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken, + gss_buffer_t outputToken GSSEAP_UNUSED, + OM_uint32 *smFlags GSSEAP_UNUSED) { - GSSEAP_SM_TRANSITION_NEXT(ctx); - - *minor = 0; - *smFlags |= SM_FLAG_FORCE_SEND_TOKEN; + OM_uint32 major; - return GSS_S_CONTINUE_NEEDED; -} + major = gssEapVerifyTokenMIC(minor, ctx, inputToken); + if (GSS_ERROR(major)) + return major; -static OM_uint32 -eapGssSmInitCompleteAcceptorExts(OM_uint32 *minor, - gss_cred_id_t cred GSSEAP_UNUSED, - gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, - gss_OID mech GSSEAP_UNUSED, - OM_uint32 reqFlags GSSEAP_UNUSED, - OM_uint32 timeReq GSSEAP_UNUSED, - gss_channel_bindings_t chanBindings GSSEAP_UNUSED, - gss_buffer_t inputToken GSSEAP_UNUSED, - gss_buffer_t outputToken GSSEAP_UNUSED, - OM_uint32 *smFlags GSSEAP_UNUSED) -{ GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED); *minor = 0; @@ -866,6 +905,13 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { }, { ITOK_TYPE_NONE, + ITOK_TYPE_GSS_FLAGS, + GSSEAP_STATE_INITIATOR_EXTS, + 0, + eapGssSmInitGssFlags + }, + { + ITOK_TYPE_NONE, ITOK_TYPE_GSS_CHANNEL_BINDINGS, GSSEAP_STATE_INITIATOR_EXTS, SM_ITOK_FLAG_REQUIRED, @@ -873,10 +919,10 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { }, { ITOK_TYPE_NONE, - ITOK_TYPE_NONE, + ITOK_TYPE_INITIATOR_MIC, GSSEAP_STATE_INITIATOR_EXTS, - 0, - eapGssSmInitCompleteInitiatorExts + SM_ITOK_FLAG_REQUIRED, + eapGssSmInitInitiatorMIC }, #ifdef GSSEAP_ENABLE_REAUTH { @@ -889,15 +935,15 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { #endif /* other extensions go here */ { - ITOK_TYPE_NONE, + ITOK_TYPE_ACCEPTOR_MIC, ITOK_TYPE_NONE, GSSEAP_STATE_ACCEPTOR_EXTS, - 0, - eapGssSmInitCompleteAcceptorExts + SM_ITOK_FLAG_REQUIRED, + eapGssSmInitAcceptorMIC } }; -OM_uint32 +OM_uint32 GSSAPI_CALLCONV gss_init_sec_context(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t *context_handle, @@ -939,34 +985,24 @@ gss_init_sec_context(OM_uint32 *minor, GSSEAP_MUTEX_LOCK(&ctx->mutex); - if (cred == GSS_C_NO_CREDENTIAL) { - if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) { - major = gssEapAcquireCred(minor, - GSS_C_NO_NAME, - GSS_C_NO_BUFFER, - time_req, - GSS_C_NO_OID_SET, - GSS_C_INITIATE, - &ctx->defaultCred, - NULL, - NULL); - if (GSS_ERROR(major)) - goto cleanup; - } + if (cred != GSS_C_NO_CREDENTIAL) + GSSEAP_MUTEX_LOCK(&cred->mutex); - cred = ctx->defaultCred; + if (ctx->cred == GSS_C_NO_CREDENTIAL) { + major = gssEapResolveInitiatorCred(minor, cred, target_name, &ctx->cred); + if (GSS_ERROR(major)) + goto cleanup; + + assert(ctx->cred != GSS_C_NO_CREDENTIAL); } - GSSEAP_MUTEX_LOCK(&cred->mutex); + GSSEAP_MUTEX_LOCK(&ctx->cred->mutex); - if ((cred->flags & CRED_FLAG_INITIATE) == 0) { - major = GSS_S_NO_CRED; - *minor = GSSEAP_CRED_USAGE_MISMATCH; - goto cleanup; - } + assert(ctx->cred->flags & CRED_FLAG_RESOLVED); + assert(ctx->cred->flags & CRED_FLAG_INITIATE); if (initialContextToken) { - major = initBegin(minor, cred, ctx, target_name, mech_type, + major = initBegin(minor, ctx, target_name, mech_type, req_flags, time_req, input_chan_bindings); if (GSS_ERROR(major)) goto cleanup; @@ -1007,6 +1043,8 @@ gss_init_sec_context(OM_uint32 *minor, cleanup: if (cred != GSS_C_NO_CREDENTIAL) GSSEAP_MUTEX_UNLOCK(&cred->mutex); + if (ctx->cred != GSS_C_NO_CREDENTIAL) + GSSEAP_MUTEX_UNLOCK(&ctx->cred->mutex); GSSEAP_MUTEX_UNLOCK(&ctx->mutex); if (GSS_ERROR(major))