X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2Finit_sec_context.c;h=2e4b23b9c79788fc562bdc646d78b1f84ca4c4b5;hb=e82fcf22c3b6961beae883fc66bf4567896b7c4b;hp=951ea2b7d9abb80bdbdace6b31a7074ead4f91dd;hpb=754fb92e5ac6ad34aaa44a64c9bfa9a2583179f2;p=moonshot.git diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c index 951ea2b..2e4b23b 100644 --- a/mech_eap/init_sec_context.c +++ b/mech_eap/init_sec_context.c @@ -199,13 +199,16 @@ peerConfigInit(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx) { + OM_uint32 major; krb5_context krbContext; struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig; - krb5_error_code code; - char *identity, *anonymousIdentity; + gss_buffer_desc identity = GSS_C_EMPTY_BUFFER; + gss_buffer_desc realm = GSS_C_EMPTY_BUFFER; eapPeerConfig->identity = NULL; eapPeerConfig->identity_len = 0; + eapPeerConfig->anonymous_identity = NULL; + eapPeerConfig->anonymous_identity_len = 0; eapPeerConfig->password = NULL; eapPeerConfig->password_len = 0; @@ -225,20 +228,29 @@ peerConfigInit(OM_uint32 *minor, return GSS_S_BAD_NAME; } - code = krb5_unparse_name(krbContext, cred->name->krbPrincipal, &identity); - if (code != 0) { - *minor = code; + /* identity */ + major = gssEapDisplayName(minor, cred->name, &identity, NULL); + if (GSS_ERROR(major)) + return major; + + eapPeerConfig->identity = (unsigned char *)identity.value; + eapPeerConfig->identity_len = identity.length; + + krbPrincRealmToGssBuffer(cred->name->krbPrincipal, &realm); + + /* anonymous_identity */ + eapPeerConfig->anonymous_identity = GSSEAP_MALLOC(realm.length + 2); + if (eapPeerConfig->anonymous_identity == NULL) { + *minor = ENOMEM; return GSS_S_FAILURE; } - anonymousIdentity = strchr(identity, '@'); - if (anonymousIdentity == NULL) - anonymousIdentity = ""; + eapPeerConfig->anonymous_identity[0] = '@'; + memcpy(eapPeerConfig->anonymous_identity + 1, realm.value, realm.length); + eapPeerConfig->anonymous_identity[1 + realm.length] = '\0'; + eapPeerConfig->anonymous_identity_len = 1 + realm.length; - eapPeerConfig->identity = (unsigned char *)identity; - eapPeerConfig->identity_len = strlen(identity); - eapPeerConfig->anonymous_identity = (unsigned char *)anonymousIdentity; - eapPeerConfig->anonymous_identity_len = strlen(anonymousIdentity); + /* password */ eapPeerConfig->password = (unsigned char *)cred->password.value; eapPeerConfig->password_len = cred->password.length; @@ -250,12 +262,19 @@ static OM_uint32 peerConfigFree(OM_uint32 *minor, gss_ctx_id_t ctx) { - krb5_context krbContext; struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig; - GSSEAP_KRB_INIT(&krbContext); + if (eapPeerConfig->identity != NULL) { + GSSEAP_FREE(eapPeerConfig->identity); + eapPeerConfig->identity = NULL; + eapPeerConfig->identity_len = 0; + } - krb5_free_unparsed_name(krbContext, (char *)eapPeerConfig->identity); + if (eapPeerConfig->anonymous_identity != NULL) { + GSSEAP_FREE(eapPeerConfig->anonymous_identity); + eapPeerConfig->anonymous_identity = NULL; + eapPeerConfig->anonymous_identity_len = 0; + } *minor = 0; return GSS_S_COMPLETE; @@ -362,15 +381,10 @@ initBegin(OM_uint32 *minor, GSSEAP_MUTEX_UNLOCK(&target->mutex); } - if (mech == GSS_C_NULL_OID) { - major = gssEapDefaultMech(minor, &ctx->mechanismUsed); - } else if (gssEapIsConcreteMechanismOid(mech)) { - if (!gssEapInternalizeOid(mech, &ctx->mechanismUsed)) - major = duplicateOid(minor, mech, &ctx->mechanismUsed); - } else { - major = GSS_S_BAD_MECH; - *minor = GSSEAP_WRONG_MECH; - } + major = gssEapCanonicalizeOid(minor, + mech, + OID_FLAG_NULL_VALID | OID_FLAG_MAP_NULL_TO_DEFAULT_MECH, + &ctx->mechanismUsed); if (GSS_ERROR(major)) return major; @@ -458,7 +472,7 @@ eapGssSmInitGssReauth(OM_uint32 *minor, major = gssInitSecContext(minor, cred->krbCred, - &ctx->kerberosCtx, + &ctx->reauthCtx, mechTarget, (gss_OID)gss_mech_krb5, reqFlags | GSS_C_MUTUAL_FLAG, @@ -543,7 +557,9 @@ eapGssSmInitAcceptorName(OM_uint32 *minor, ctx->acceptorName == GSS_C_NO_NAME) { /* Accept target name hint from acceptor */ major = gssEapImportName(minor, inputToken, - GSS_C_NT_USER_NAME, &ctx->acceptorName); + GSS_C_NT_USER_NAME, + ctx->mechanismUsed, + &ctx->acceptorName); if (GSS_ERROR(major)) return major; } @@ -580,7 +596,7 @@ eapGssSmInitIdentity(OM_uint32 *minor, OM_uint32 tmpMinor; /* server didn't support reauthentication, sent EAP request */ - gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER); + gssDeleteSecContext(&tmpMinor, &ctx->reauthCtx, GSS_C_NO_BUFFER); ctx->flags &= ~(CTX_FLAG_KRB_REAUTH); GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL); } else @@ -898,6 +914,7 @@ gss_init_sec_context(OM_uint32 *minor, { OM_uint32 major, tmpMinor; gss_ctx_id_t ctx = *context_handle; + int initialContextToken = 0; *minor = 0; @@ -915,13 +932,7 @@ gss_init_sec_context(OM_uint32 *minor, return major; ctx->flags |= CTX_FLAG_INITIATOR; - - major = initBegin(minor, cred, ctx, target_name, mech_type, - req_flags, time_req, input_chan_bindings); - if (GSS_ERROR(major)) { - gssEapReleaseContext(minor, &ctx); - return major; - } + initialContextToken = 1; *context_handle = ctx; } @@ -948,13 +959,19 @@ gss_init_sec_context(OM_uint32 *minor, GSSEAP_MUTEX_LOCK(&cred->mutex); - if ((cred->flags & CRED_FLAG_INITIATE) == 0) { major = GSS_S_NO_CRED; *minor = GSSEAP_CRED_USAGE_MISMATCH; goto cleanup; } + if (initialContextToken) { + major = initBegin(minor, cred, ctx, target_name, mech_type, + req_flags, time_req, input_chan_bindings); + if (GSS_ERROR(major)) + goto cleanup; + } + major = gssEapSmStep(minor, cred, ctx, @@ -971,8 +988,14 @@ gss_init_sec_context(OM_uint32 *minor, goto cleanup; if (actual_mech_type != NULL) { - if (!gssEapInternalizeOid(ctx->mechanismUsed, actual_mech_type)) - duplicateOid(&tmpMinor, ctx->mechanismUsed, actual_mech_type); + OM_uint32 tmpMajor; + + tmpMajor = gssEapCanonicalizeOid(&tmpMinor, ctx->mechanismUsed, 0, actual_mech_type); + if (GSS_ERROR(tmpMajor)) { + major = tmpMajor; + *minor = tmpMinor; + goto cleanup; + } } if (ret_flags != NULL) *ret_flags = ctx->gssFlags;