X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=moonshot%2Fmech_eap%2Finit_sec_context.c;h=e5bc107b3974bfee394003b6662d9d2777f340d4;hb=718b3c72ced52cc2f70abc45f2df13ee5d9a5cec;hp=42f9b9348003c478577b01cf6f9a70189400018b;hpb=9b1b7600be02d13fc799596b098ab112a967b090;p=moonshot.git diff --git a/moonshot/mech_eap/init_sec_context.c b/moonshot/mech_eap/init_sec_context.c index 42f9b93..e5bc107 100644 --- a/moonshot/mech_eap/init_sec_context.c +++ b/moonshot/mech_eap/init_sec_context.c @@ -195,15 +195,14 @@ extern int wpa_debug_level; #endif static OM_uint32 -peerConfigInit(OM_uint32 *minor, - gss_cred_id_t cred, - gss_ctx_id_t ctx) +peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) { OM_uint32 major; krb5_context krbContext; struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig; gss_buffer_desc identity = GSS_C_EMPTY_BUFFER; gss_buffer_desc realm = GSS_C_EMPTY_BUFFER; + gss_cred_id_t cred = ctx->cred; eapPeerConfig->identity = NULL; eapPeerConfig->identity_len = 0; @@ -254,6 +253,11 @@ peerConfigInit(OM_uint32 *minor, eapPeerConfig->password = (unsigned char *)cred->password.value; eapPeerConfig->password_len = cred->password.length; + /* certs */ + eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value; + eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value; + eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value; + *minor = 0; return GSS_S_COMPLETE; } @@ -341,7 +345,6 @@ initReady(OM_uint32 *minor, gss_ctx_id_t ctx, OM_uint32 reqFlags) static OM_uint32 initBegin(OM_uint32 *minor, - gss_cred_id_t cred, gss_ctx_id_t ctx, gss_name_t target, gss_OID mech, @@ -350,6 +353,7 @@ initBegin(OM_uint32 *minor, gss_channel_bindings_t chanBindings GSSEAP_UNUSED) { OM_uint32 major; + gss_cred_id_t cred = ctx->cred; assert(cred != GSS_C_NO_CREDENTIAL); @@ -634,7 +638,7 @@ eapGssSmInitIdentity(OM_uint32 *minor, static OM_uint32 eapGssSmInitAuthenticate(OM_uint32 *minor, - gss_cred_id_t cred, + gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, gss_name_t target GSSEAP_UNUSED, gss_OID mech GSSEAP_UNUSED, @@ -653,7 +657,7 @@ eapGssSmInitAuthenticate(OM_uint32 *minor, assert(inputToken != GSS_C_NO_BUFFER); - major = peerConfigInit(minor, cred, ctx); + major = peerConfigInit(minor, ctx); if (GSS_ERROR(major)) goto cleanup; @@ -714,6 +718,30 @@ cleanup: } static OM_uint32 +eapGssSmInitGssFlags(OM_uint32 *minor, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, + gss_buffer_t outputToken, + OM_uint32 *smFlags GSSEAP_UNUSED) +{ + unsigned char wireFlags[4]; + gss_buffer_desc flagsBuf; + + store_uint32_be(ctx->gssFlags & GSSEAP_WIRE_FLAGS_MASK, wireFlags); + + flagsBuf.length = sizeof(wireFlags); + flagsBuf.value = wireFlags; + + return duplicateBuffer(minor, &flagsBuf, outputToken); +} + +static OM_uint32 eapGssSmInitGssChannelBindings(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, @@ -745,6 +773,33 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor, return GSS_S_CONTINUE_NEEDED; } +static OM_uint32 +eapGssSmInitInitiatorMIC(OM_uint32 *minor, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, + gss_buffer_t outputToken, + OM_uint32 *smFlags) +{ + OM_uint32 major; + + major = gssEapMakeTokenMIC(minor, ctx, outputToken); + if (GSS_ERROR(major)) + return major; + + GSSEAP_SM_TRANSITION_NEXT(ctx); + + *minor = 0; + *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL; + + return GSS_S_CONTINUE_NEEDED; +} + #ifdef GSSEAP_ENABLE_REAUTH static OM_uint32 eapGssSmInitReauthCreds(OM_uint32 *minor, @@ -773,39 +828,24 @@ eapGssSmInitReauthCreds(OM_uint32 *minor, #endif /* GSSEAP_ENABLE_REAUTH */ static OM_uint32 -eapGssSmInitCompleteInitiatorExts(OM_uint32 *minor, - gss_cred_id_t cred GSSEAP_UNUSED, - gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, - gss_OID mech GSSEAP_UNUSED, - OM_uint32 reqFlags GSSEAP_UNUSED, - OM_uint32 timeReq GSSEAP_UNUSED, - gss_channel_bindings_t chanBindings GSSEAP_UNUSED, - gss_buffer_t inputToken GSSEAP_UNUSED, - gss_buffer_t outputToken GSSEAP_UNUSED, - OM_uint32 *smFlags) +eapGssSmInitAcceptorMIC(OM_uint32 *minor, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken, + gss_buffer_t outputToken GSSEAP_UNUSED, + OM_uint32 *smFlags GSSEAP_UNUSED) { - GSSEAP_SM_TRANSITION_NEXT(ctx); - - *minor = 0; - *smFlags |= SM_FLAG_FORCE_SEND_TOKEN; + OM_uint32 major; - return GSS_S_CONTINUE_NEEDED; -} + major = gssEapVerifyTokenMIC(minor, ctx, inputToken); + if (GSS_ERROR(major)) + return major; -static OM_uint32 -eapGssSmInitCompleteAcceptorExts(OM_uint32 *minor, - gss_cred_id_t cred GSSEAP_UNUSED, - gss_ctx_id_t ctx, - gss_name_t target GSSEAP_UNUSED, - gss_OID mech GSSEAP_UNUSED, - OM_uint32 reqFlags GSSEAP_UNUSED, - OM_uint32 timeReq GSSEAP_UNUSED, - gss_channel_bindings_t chanBindings GSSEAP_UNUSED, - gss_buffer_t inputToken GSSEAP_UNUSED, - gss_buffer_t outputToken GSSEAP_UNUSED, - OM_uint32 *smFlags GSSEAP_UNUSED) -{ GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED); *minor = 0; @@ -865,6 +905,13 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { }, { ITOK_TYPE_NONE, + ITOK_TYPE_GSS_FLAGS, + GSSEAP_STATE_INITIATOR_EXTS, + 0, + eapGssSmInitGssFlags + }, + { + ITOK_TYPE_NONE, ITOK_TYPE_GSS_CHANNEL_BINDINGS, GSSEAP_STATE_INITIATOR_EXTS, SM_ITOK_FLAG_REQUIRED, @@ -872,10 +919,10 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { }, { ITOK_TYPE_NONE, - ITOK_TYPE_NONE, + ITOK_TYPE_INITIATOR_MIC, GSSEAP_STATE_INITIATOR_EXTS, - 0, - eapGssSmInitCompleteInitiatorExts + SM_ITOK_FLAG_REQUIRED, + eapGssSmInitInitiatorMIC }, #ifdef GSSEAP_ENABLE_REAUTH { @@ -888,18 +935,18 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { #endif /* other extensions go here */ { - ITOK_TYPE_NONE, + ITOK_TYPE_ACCEPTOR_MIC, ITOK_TYPE_NONE, GSSEAP_STATE_ACCEPTOR_EXTS, - 0, - eapGssSmInitCompleteAcceptorExts + SM_ITOK_FLAG_REQUIRED, + eapGssSmInitAcceptorMIC } }; OM_uint32 -gss_init_sec_context(OM_uint32 *minor, +gssEapInitSecContext(OM_uint32 *minor, gss_cred_id_t cred, - gss_ctx_id_t *context_handle, + gss_ctx_id_t ctx, gss_name_t target_name, gss_OID mech_type, OM_uint32 req_flags, @@ -912,60 +959,26 @@ gss_init_sec_context(OM_uint32 *minor, OM_uint32 *time_rec) { OM_uint32 major, tmpMinor; - gss_ctx_id_t ctx = *context_handle; - int initialContextToken = 0; - - *minor = 0; + int initialContextToken = (ctx->mechanismUsed == GSS_C_NO_OID); - output_token->length = 0; - output_token->value = NULL; - - if (ctx == GSS_C_NO_CONTEXT) { - if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { - *minor = GSSEAP_WRONG_SIZE; - return GSS_S_DEFECTIVE_TOKEN; - } + if (cred != GSS_C_NO_CREDENTIAL) + GSSEAP_MUTEX_LOCK(&cred->mutex); - major = gssEapAllocContext(minor, &ctx); + if (ctx->cred == GSS_C_NO_CREDENTIAL) { + major = gssEapResolveInitiatorCred(minor, cred, target_name, &ctx->cred); if (GSS_ERROR(major)) - return major; - - ctx->flags |= CTX_FLAG_INITIATOR; - initialContextToken = 1; - - *context_handle = ctx; - } - - GSSEAP_MUTEX_LOCK(&ctx->mutex); - - if (cred == GSS_C_NO_CREDENTIAL) { - if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) { - major = gssEapAcquireCred(minor, - GSS_C_NO_NAME, - GSS_C_NO_BUFFER, - time_req, - GSS_C_NO_OID_SET, - GSS_C_INITIATE, - &ctx->defaultCred, - NULL, - NULL); - if (GSS_ERROR(major)) - goto cleanup; - } + goto cleanup; - cred = ctx->defaultCred; + assert(ctx->cred != GSS_C_NO_CREDENTIAL); } - GSSEAP_MUTEX_LOCK(&cred->mutex); + GSSEAP_MUTEX_LOCK(&ctx->cred->mutex); - if ((cred->flags & CRED_FLAG_INITIATE) == 0) { - major = GSS_S_NO_CRED; - *minor = GSSEAP_CRED_USAGE_MISMATCH; - goto cleanup; - } + assert(ctx->cred->flags & CRED_FLAG_RESOLVED); + assert(ctx->cred->flags & CRED_FLAG_INITIATE); if (initialContextToken) { - major = initBegin(minor, cred, ctx, target_name, mech_type, + major = initBegin(minor, ctx, target_name, mech_type, req_flags, time_req, input_chan_bindings); if (GSS_ERROR(major)) goto cleanup; @@ -1006,6 +1019,68 @@ gss_init_sec_context(OM_uint32 *minor, cleanup: if (cred != GSS_C_NO_CREDENTIAL) GSSEAP_MUTEX_UNLOCK(&cred->mutex); + if (ctx->cred != GSS_C_NO_CREDENTIAL) + GSSEAP_MUTEX_UNLOCK(&ctx->cred->mutex); + + return major; +} + +OM_uint32 GSSAPI_CALLCONV +gss_init_sec_context(OM_uint32 *minor, + gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec) +{ + OM_uint32 major, tmpMinor; + gss_ctx_id_t ctx = *context_handle; + + *minor = 0; + + output_token->length = 0; + output_token->value = NULL; + + assert(ctx == GSS_C_NO_CONTEXT || ctx->mechanismUsed != GSS_C_NO_OID); + + if (ctx == GSS_C_NO_CONTEXT) { + if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { + *minor = GSSEAP_WRONG_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } + + major = gssEapAllocContext(minor, &ctx); + if (GSS_ERROR(major)) + return major; + + ctx->flags |= CTX_FLAG_INITIATOR; + + *context_handle = ctx; + } + + GSSEAP_MUTEX_LOCK(&ctx->mutex); + + major = gssEapInitSecContext(minor, + cred, + ctx, + target_name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + GSSEAP_MUTEX_UNLOCK(&ctx->mutex); if (GSS_ERROR(major))