X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2Finit_sec_context.c;h=3194f990b4e3da9dabeead0e225d519439d4b739;hb=refs%2Fheads%2Fjson-name;hp=b9693df3e39a74d99bcb98c134428d0c017a68d4;hpb=ef7242d8e4b355b1565ca20761c7e95f48185fdf;p=moonshot.git diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c index b9693df..3194f99 100644 --- a/mech_eap/init_sec_context.c +++ b/mech_eap/init_sec_context.c @@ -161,18 +161,20 @@ peerGetEapReqData(void *ctx) } static void -peerSetConfigBlob(void *ctx, struct wpa_config_blob *blob) +peerSetConfigBlob(void *ctx GSSEAP_UNUSED, + struct wpa_config_blob *blob GSSEAP_UNUSED) { } static const struct wpa_config_blob * -peerGetConfigBlob(void *ctx, const char *name) +peerGetConfigBlob(void *ctx GSSEAP_UNUSED, + const char *name GSSEAP_UNUSED) { return NULL; } static void -peerNotifyPending(void *ctx) +peerNotifyPending(void *ctx GSSEAP_UNUSED) { } @@ -197,13 +199,16 @@ peerConfigInit(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx) { + OM_uint32 major; krb5_context krbContext; struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig; - krb5_error_code code; - char *identity, *anonymousIdentity; + gss_buffer_desc identity = GSS_C_EMPTY_BUFFER; + gss_buffer_desc realm = GSS_C_EMPTY_BUFFER; eapPeerConfig->identity = NULL; eapPeerConfig->identity_len = 0; + eapPeerConfig->anonymous_identity = NULL; + eapPeerConfig->anonymous_identity_len = 0; eapPeerConfig->password = NULL; eapPeerConfig->password_len = 0; @@ -223,20 +228,29 @@ peerConfigInit(OM_uint32 *minor, return GSS_S_BAD_NAME; } - code = krb5_unparse_name(krbContext, cred->name->krbPrincipal, &identity); - if (code != 0) { - *minor = code; + /* identity */ + major = gssEapDisplayName(minor, cred->name, &identity, NULL); + if (GSS_ERROR(major)) + return major; + + eapPeerConfig->identity = (unsigned char *)identity.value; + eapPeerConfig->identity_len = identity.length; + + krbPrincRealmToGssBuffer(cred->name->krbPrincipal, &realm); + + /* anonymous_identity */ + eapPeerConfig->anonymous_identity = GSSEAP_MALLOC(realm.length + 2); + if (eapPeerConfig->anonymous_identity == NULL) { + *minor = ENOMEM; return GSS_S_FAILURE; } - anonymousIdentity = strchr(identity, '@'); - if (anonymousIdentity == NULL) - anonymousIdentity = ""; + eapPeerConfig->anonymous_identity[0] = '@'; + memcpy(eapPeerConfig->anonymous_identity + 1, realm.value, realm.length); + eapPeerConfig->anonymous_identity[1 + realm.length] = '\0'; + eapPeerConfig->anonymous_identity_len = 1 + realm.length; - eapPeerConfig->identity = (unsigned char *)identity; - eapPeerConfig->identity_len = strlen(identity); - eapPeerConfig->anonymous_identity = (unsigned char *)anonymousIdentity; - eapPeerConfig->anonymous_identity_len = strlen(anonymousIdentity); + /* password */ eapPeerConfig->password = (unsigned char *)cred->password.value; eapPeerConfig->password_len = cred->password.length; @@ -248,12 +262,19 @@ static OM_uint32 peerConfigFree(OM_uint32 *minor, gss_ctx_id_t ctx) { - krb5_context krbContext; struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig; - GSSEAP_KRB_INIT(&krbContext); + if (eapPeerConfig->identity != NULL) { + GSSEAP_FREE(eapPeerConfig->identity); + eapPeerConfig->identity = NULL; + eapPeerConfig->identity_len = 0; + } - krb5_free_unparsed_name(krbContext, (char *)eapPeerConfig->identity); + if (eapPeerConfig->anonymous_identity != NULL) { + GSSEAP_FREE(eapPeerConfig->anonymous_identity); + eapPeerConfig->anonymous_identity = NULL; + eapPeerConfig->anonymous_identity_len = 0; + } *minor = 0; return GSS_S_COMPLETE; @@ -324,9 +345,9 @@ initBegin(OM_uint32 *minor, gss_ctx_id_t ctx, gss_name_t target, gss_OID mech, - OM_uint32 reqFlags, + OM_uint32 reqFlags GSSEAP_UNUSED, OM_uint32 timeReq, - gss_channel_bindings_t chanBindings) + gss_channel_bindings_t chanBindings GSSEAP_UNUSED) { OM_uint32 major; @@ -360,15 +381,10 @@ initBegin(OM_uint32 *minor, GSSEAP_MUTEX_UNLOCK(&target->mutex); } - if (mech == GSS_C_NULL_OID) { - major = gssEapDefaultMech(minor, &ctx->mechanismUsed); - } else if (gssEapIsConcreteMechanismOid(mech)) { - if (!gssEapInternalizeOid(mech, &ctx->mechanismUsed)) - major = duplicateOid(minor, mech, &ctx->mechanismUsed); - } else { - major = GSS_S_BAD_MECH; - *minor = GSSEAP_WRONG_MECH; - } + major = gssEapCanonicalizeOid(minor, + mech, + OID_FLAG_NULL_VALID | OID_FLAG_MAP_NULL_TO_DEFAULT_MECH, + &ctx->mechanismUsed); if (GSS_ERROR(major)) return major; @@ -384,16 +400,16 @@ initBegin(OM_uint32 *minor, static OM_uint32 eapGssSmInitError(OM_uint32 *minor, - gss_cred_id_t cred, - gss_ctx_id_t ctx, - gss_name_t target, - gss_OID mech, - OM_uint32 reqFlags, - OM_uint32 timeReq, - gss_channel_bindings_t chanBindings, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx GSSEAP_UNUSED, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, gss_buffer_t inputToken, - gss_buffer_t outputToken, - OM_uint32 *smFlags) + gss_buffer_t outputToken GSSEAP_UNUSED, + OM_uint32 *smFlags GSSEAP_UNUSED) { OM_uint32 major; unsigned char *p; @@ -424,13 +440,13 @@ eapGssSmInitGssReauth(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, gss_name_t target, - gss_OID mech, + gss_OID mech GSSEAP_UNUSED, OM_uint32 reqFlags, OM_uint32 timeReq, gss_channel_bindings_t chanBindings, gss_buffer_t inputToken, gss_buffer_t outputToken, - OM_uint32 *smFlags) + OM_uint32 *smFlags GSSEAP_UNUSED) { OM_uint32 major, tmpMinor; gss_name_t mechTarget = GSS_C_NO_NAME; @@ -493,16 +509,16 @@ cleanup: #ifdef GSSEAP_DEBUG static OM_uint32 eapGssSmInitVendorInfo(OM_uint32 *minor, - gss_cred_id_t cred, - gss_ctx_id_t ctx, - gss_name_t target, - gss_OID mech, - OM_uint32 reqFlags, - OM_uint32 timeReq, - gss_channel_bindings_t chanBindings, - gss_buffer_t inputToken, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx GSSEAP_UNUSED, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, gss_buffer_t outputToken, - OM_uint32 *smFlags) + OM_uint32 *smFlags GSSEAP_UNUSED) { OM_uint32 major; @@ -516,16 +532,16 @@ eapGssSmInitVendorInfo(OM_uint32 *minor, static OM_uint32 eapGssSmInitAcceptorName(OM_uint32 *minor, - gss_cred_id_t cred, + gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target, - gss_OID mech, - OM_uint32 reqFlags, - OM_uint32 timeReq, - gss_channel_bindings_t chanBindings, - gss_buffer_t inputToken, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, gss_buffer_t outputToken, - OM_uint32 *smFlags) + OM_uint32 *smFlags GSSEAP_UNUSED) { OM_uint32 major; @@ -541,7 +557,9 @@ eapGssSmInitAcceptorName(OM_uint32 *minor, ctx->acceptorName == GSS_C_NO_NAME) { /* Accept target name hint from acceptor */ major = gssEapImportName(minor, inputToken, - GSS_C_NT_USER_NAME, &ctx->acceptorName); + GSS_C_NT_USER_NAME, + ctx->mechanismUsed, + &ctx->acceptorName); if (GSS_ERROR(major)) return major; } @@ -560,19 +578,20 @@ eapGssSmInitAcceptorName(OM_uint32 *minor, static OM_uint32 eapGssSmInitIdentity(OM_uint32 *minor, - gss_cred_id_t cred, + gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target, - gss_OID mech, - OM_uint32 reqFlags, - OM_uint32 timeReq, - gss_channel_bindings_t chanBindings, - gss_buffer_t inputToken, - gss_buffer_t outputToken, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, + gss_buffer_t outputToken GSSEAP_UNUSED, OM_uint32 *smFlags) { struct eap_config eapConfig; +#ifdef GSSEAP_ENABLE_REAUTH if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE) { OM_uint32 tmpMinor; @@ -580,10 +599,9 @@ eapGssSmInitIdentity(OM_uint32 *minor, gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER); ctx->flags &= ~(CTX_FLAG_KRB_REAUTH); GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL); - *smFlags |= SM_FLAG_RESTART; - } else { + } else +#endif *smFlags |= SM_FLAG_FORCE_SEND_TOKEN; - } assert((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0); assert(inputToken == GSS_C_NO_BUFFER); @@ -618,12 +636,12 @@ static OM_uint32 eapGssSmInitAuthenticate(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target, - gss_OID mech, - OM_uint32 reqFlags, - OM_uint32 timeReq, - gss_channel_bindings_t chanBindings, - gss_buffer_t inputToken, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, gss_buffer_t outputToken, OM_uint32 *smFlags) { @@ -686,6 +704,8 @@ cleanup: major = tmpMajor; *minor = tmpMinor; } + + *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL; } wpabuf_set(&ctx->initiatorCtx.reqData, NULL, 0); @@ -696,14 +716,14 @@ cleanup: static OM_uint32 eapGssSmInitGssChannelBindings(OM_uint32 *minor, - gss_cred_id_t cred, + gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target, - gss_OID mech, - OM_uint32 reqFlags, - OM_uint32 timeReq, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, gss_channel_bindings_t chanBindings, - gss_buffer_t inputToken, + gss_buffer_t inputToken GSSEAP_UNUSED, gss_buffer_t outputToken, OM_uint32 *smFlags) { @@ -721,6 +741,8 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor, assert(outputToken->value != NULL); *minor = 0; + *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL; + return GSS_S_CONTINUE_NEEDED; } @@ -729,14 +751,14 @@ static OM_uint32 eapGssSmInitReauthCreds(OM_uint32 *minor, gss_cred_id_t cred, gss_ctx_id_t ctx, - gss_name_t target, - gss_OID mech, - OM_uint32 reqFlags, - OM_uint32 timeReq, - gss_channel_bindings_t chanBindings, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, gss_buffer_t inputToken, - gss_buffer_t outputToken, - OM_uint32 *smFlags) + gss_buffer_t outputToken GSSEAP_UNUSED, + OM_uint32 *smFlags GSSEAP_UNUSED) { OM_uint32 major; @@ -753,15 +775,15 @@ eapGssSmInitReauthCreds(OM_uint32 *minor, static OM_uint32 eapGssSmInitCompleteInitiatorExts(OM_uint32 *minor, - gss_cred_id_t cred, + gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target, - gss_OID mech, - OM_uint32 reqFlags, - OM_uint32 timeReq, - gss_channel_bindings_t chanBindings, - gss_buffer_t inputToken, - gss_buffer_t outputToken, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, + gss_buffer_t outputToken GSSEAP_UNUSED, OM_uint32 *smFlags) { GSSEAP_SM_TRANSITION_NEXT(ctx); @@ -774,16 +796,16 @@ eapGssSmInitCompleteInitiatorExts(OM_uint32 *minor, static OM_uint32 eapGssSmInitCompleteAcceptorExts(OM_uint32 *minor, - gss_cred_id_t cred, + gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, - gss_name_t target, - gss_OID mech, - OM_uint32 reqFlags, - OM_uint32 timeReq, - gss_channel_bindings_t chanBindings, - gss_buffer_t inputToken, - gss_buffer_t outputToken, - OM_uint32 *smFlags) + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, + gss_buffer_t outputToken GSSEAP_UNUSED, + OM_uint32 *smFlags GSSEAP_UNUSED) { GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED); @@ -797,7 +819,7 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { ITOK_TYPE_CONTEXT_ERR, ITOK_TYPE_NONE, GSSEAP_STATE_ALL & ~(GSSEAP_STATE_INITIAL), - SM_ITOK_FLAG_CRITICAL, + 0, eapGssSmInitError }, { @@ -828,22 +850,25 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { { ITOK_TYPE_NONE, ITOK_TYPE_NONE, - GSSEAP_STATE_INITIAL | GSSEAP_STATE_REAUTHENTICATE, - SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED, +#ifdef GSSEAP_ENABLE_REAUTH + GSSEAP_STATE_REAUTHENTICATE | +#endif + GSSEAP_STATE_INITIAL, + SM_ITOK_FLAG_REQUIRED, eapGssSmInitIdentity }, { ITOK_TYPE_EAP_REQ, ITOK_TYPE_EAP_RESP, GSSEAP_STATE_AUTHENTICATE, - SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED, + SM_ITOK_FLAG_REQUIRED, eapGssSmInitAuthenticate }, { ITOK_TYPE_NONE, ITOK_TYPE_GSS_CHANNEL_BINDINGS, GSSEAP_STATE_INITIATOR_EXTS, - SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED, + SM_ITOK_FLAG_REQUIRED, eapGssSmInitGssChannelBindings }, { @@ -889,6 +914,7 @@ gss_init_sec_context(OM_uint32 *minor, { OM_uint32 major, tmpMinor; gss_ctx_id_t ctx = *context_handle; + int initialContextToken = 0; *minor = 0; @@ -906,13 +932,7 @@ gss_init_sec_context(OM_uint32 *minor, return major; ctx->flags |= CTX_FLAG_INITIATOR; - - major = initBegin(minor, cred, ctx, target_name, mech_type, - req_flags, time_req, input_chan_bindings); - if (GSS_ERROR(major)) { - gssEapReleaseContext(minor, &ctx); - return major; - } + initialContextToken = 1; *context_handle = ctx; } @@ -939,13 +959,19 @@ gss_init_sec_context(OM_uint32 *minor, GSSEAP_MUTEX_LOCK(&cred->mutex); - if ((cred->flags & CRED_FLAG_INITIATE) == 0) { major = GSS_S_NO_CRED; *minor = GSSEAP_CRED_USAGE_MISMATCH; goto cleanup; } + if (initialContextToken) { + major = initBegin(minor, cred, ctx, target_name, mech_type, + req_flags, time_req, input_chan_bindings); + if (GSS_ERROR(major)) + goto cleanup; + } + major = gssEapSmStep(minor, cred, ctx, @@ -962,8 +988,14 @@ gss_init_sec_context(OM_uint32 *minor, goto cleanup; if (actual_mech_type != NULL) { - if (!gssEapInternalizeOid(ctx->mechanismUsed, actual_mech_type)) - duplicateOid(&tmpMinor, ctx->mechanismUsed, actual_mech_type); + OM_uint32 tmpMajor; + + tmpMajor = gssEapCanonicalizeOid(&tmpMinor, ctx->mechanismUsed, 0, actual_mech_type); + if (GSS_ERROR(tmpMajor)) { + major = tmpMajor; + *minor = tmpMinor; + goto cleanup; + } } if (ret_flags != NULL) *ret_flags = ctx->gssFlags;