Fix some build errors, and build with flat_namespace

diff --git a/mech_eap/TODO b/mech_eap/TODO
index 41465a9..bbfbc03 100644 (file)
--- a/mech_eap/TODO
+++ b/mech_eap/TODO
@@ -1,3 +1,5 @@
 - hook up libradius, AVP parsing logic
 - better handling of mechanism-specific error namespace
 - better interfaces for initiator EAP configuration/credential management
+- libradius library handle is a global variable
+- radius expiry time

diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c
index f17cb56..6def93b 100644 (file)
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -129,7 +129,7 @@ eapGssSmAcceptIdentity(OM_uint32 *minor,
     assert(ctx->acceptorName == GSS_C_NO_NAME);
 
     if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) {
-        major = gss_duplicate_name(minor, cred->name, &ctx->acceptorName);
+        major = gssEapDuplicateName(minor, cred->name, &ctx->acceptorName);
         if (GSS_ERROR(major))
             return major;
     }
@@ -175,7 +175,7 @@ setAcceptorIdentity(OM_uint32 *minor,
 
     major = addAvpFromBuffer(minor, ctx->acceptorCtx.radHandle, avps,
                              VENDOR_ATTR_GSS_ACCEPTOR_SERVICE_NAME,
-                             VENDOR_ID_GSS_EAP,
+                             VENDOR_ID_UKERNA,
                              &nameBuf);
     if (GSS_ERROR(major))
         return major;
@@ -185,7 +185,7 @@ setAcceptorIdentity(OM_uint32 *minor,
 
     major = addAvpFromBuffer(minor, ctx->acceptorCtx.radHandle, avps,
                              VENDOR_ATTR_GSS_ACCEPTOR_HOST_NAME,
-                             VENDOR_ID_GSS_EAP,
+                             VENDOR_ID_UKERNA,
                              &nameBuf);
     if (GSS_ERROR(major))
         return major;
@@ -196,7 +196,7 @@ setAcceptorIdentity(OM_uint32 *minor,
 
         major = addAvpFromBuffer(minor, ctx->acceptorCtx.radHandle, avps,
                                  VENDOR_ATTR_GSS_ACCEPTOR_REALM_NAME,
-                                 VENDOR_ID_GSS_EAP,
+                                 VENDOR_ID_UKERNA,
                                  &nameBuf);
         if (GSS_ERROR(major))
             return major;
@@ -479,12 +479,12 @@ gss_accept_sec_context(OM_uint32 *minor,
 
     if (major == GSS_S_COMPLETE) {
         if (src_name != NULL && ctx->initiatorName != GSS_C_NO_NAME) {
-            major = gss_duplicate_name(&tmpMinor, ctx->initiatorName, src_name);
+            major = gssEapDuplicateName(&tmpMinor, ctx->initiatorName, src_name);
             if (GSS_ERROR(major))
                 goto cleanup;
         }
         if (time_rec != NULL)
-            gss_context_time(&tmpMinor, ctx, time_rec);
+            gssEapContextTime(&tmpMinor, ctx, time_rec);
     }
 
     assert(ctx->state == EAP_STATE_ESTABLISHED || major == GSS_S_CONTINUE_NEEDED);

diff --git a/mech_eap/add_cred.c b/mech_eap/add_cred.c
index 0332150..15a0cc1 100644 (file)
--- a/mech_eap/add_cred.c
+++ b/mech_eap/add_cred.c
@@ -64,14 +64,15 @@ gss_add_cred(OM_uint32 *minor,
     mechs.count = 1;
     mechs.elements = desired_mech;
 
-    major = gss_acquire_cred(minor,
-                             desired_name,
-                             time_req,
-                             &mechs,
-                             cred_usage,
-                             output_cred_handle,
-                             actual_mechs,
-                             &time_rec);
+    major = gssEapAcquireCred(minor,
+                              desired_name,
+                              GSS_C_NO_BUFFER,
+                              time_req,
+                              &mechs,
+                              cred_usage,
+                              output_cred_handle,
+                              actual_mechs,
+                              &time_rec);
 
     if (initiator_time_rec != NULL)
         *initiator_time_rec = time_rec;

diff --git a/mech_eap/add_cred_with_password.c b/mech_eap/add_cred_with_password.c
index 8d54cb3..d1aae6c 100644 (file)
--- a/mech_eap/add_cred_with_password.c
+++ b/mech_eap/add_cred_with_password.c
@@ -60,15 +60,15 @@ gss_add_cred_with_password(OM_uint32 *minor,
     mechs.count = 1;
     mechs.elements = desired_mech;
 
-    major = gss_acquire_cred_with_password(minor,
-                                           desired_name,
-                                           password,
-                                           time_req,
-                                           &mechs,
-                                           cred_usage,
-                                           output_cred_handle,
-                                           actual_mechs,
-                                           &time_rec);
+    major = gssEapAcquireCred(minor,
+                              desired_name,
+                              password,
+                              time_req,
+                              &mechs,
+                              cred_usage,
+                              output_cred_handle,
+                              actual_mechs,
+                              &time_rec);
 
     if (initiator_time_rec != NULL)
         *initiator_time_rec = time_rec;

diff --git a/mech_eap/canonicalize_name.c b/mech_eap/canonicalize_name.c
index f04f75d..a028413 100644 (file)
--- a/mech_eap/canonicalize_name.c
+++ b/mech_eap/canonicalize_name.c
@@ -43,5 +43,5 @@ gss_canonicalize_name(OM_uint32 *minor,
         return GSS_S_BAD_MECH;
     }
 
-    return gss_duplicate_name(minor, input_name, output_name);
+    return gssEapDuplicateName(minor, input_name, output_name);
 }

diff --git a/mech_eap/context_time.c b/mech_eap/context_time.c
index ee330f1..8feadd2 100644 (file)
--- a/mech_eap/context_time.c
+++ b/mech_eap/context_time.c
@@ -37,29 +37,5 @@ gss_context_time(OM_uint32 *minor,
                  gss_ctx_id_t context_handle,
                  OM_uint32 *time_rec)
 {
-    if (context_handle == GSS_C_NO_CONTEXT) {
-        return GSS_S_NO_CONTEXT;
-    }
-
-    if (!CTX_IS_ESTABLISHED(context_handle)) {
-        return GSS_S_NO_CONTEXT;
-    }
-
-    *minor = 0;
-
-    if (context_handle->expiryTime == 0) {
-        *time_rec = GSS_C_INDEFINITE;
-    } else {
-        time_t now, lifetime;
-
-        time(&now);
-        lifetime = context_handle->expiryTime - now;
-        if (lifetime <= 0) {
-            *time_rec = 0;
-            return GSS_S_CONTEXT_EXPIRED;
-        }
-        *time_rec = lifetime;
-    }
-
-    return GSS_S_COMPLETE;
+    return gssEapContextTime(minor, context_handle, time_rec);
 }

diff --git a/mech_eap/display_name.c b/mech_eap/display_name.c
index 9ef4314..0afb226 100644 (file)
--- a/mech_eap/display_name.c
+++ b/mech_eap/display_name.c
@@ -38,35 +38,6 @@ gss_display_name(OM_uint32 *minor,
                  gss_buffer_t output_name_buffer,
                  gss_OID *output_name_type)
 {
-    OM_uint32 major, tmpMinor;
-    krb5_context krbContext;
-    char *krbName;
-
-    GSSEAP_KRB_INIT(&krbContext);
-
-    output_name_buffer->length = 0;
-    output_name_buffer->value = NULL;
-
-    if (name == GSS_C_NO_NAME) {
-        *minor = EINVAL;
-        return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME;
-    }
-
-    *minor = krb5_unparse_name(krbContext, name->krbPrincipal, &krbName);
-    if (*minor != 0) {
-        return GSS_S_FAILURE;
-    }
-
-    major = makeStringBuffer(minor, krbName, output_name_buffer);
-    if (GSS_ERROR(major)) {
-        krb5_free_unparsed_name(krbContext, krbName);
-        return major;
-    }
-
-    krb5_free_unparsed_name(krbContext, krbName);
-
-    if (output_name_type != NULL)
-        *output_name_type = GSS_EAP_NT_PRINCIPAL_NAME;
-
-    return GSS_S_COMPLETE;
+    return gssEapDisplayName(minor, name, output_name_buffer,
+                             output_name_type);
 }

diff --git a/mech_eap/duplicate_name.c b/mech_eap/duplicate_name.c
index fc54f7d..0360594 100644 (file)
--- a/mech_eap/duplicate_name.c
+++ b/mech_eap/duplicate_name.c
@@ -37,46 +37,5 @@ gss_duplicate_name(OM_uint32 *minor,
                    const gss_name_t input_name,
                    gss_name_t *dest_name)
 {
-    OM_uint32 major, tmpMinor;
-    krb5_context krbContext;
-    gss_name_t name;
-
-    if (input_name == GSS_C_NO_NAME) {
-        *minor = EINVAL;
-        return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME;
-    }
-
-    GSSEAP_KRB_INIT(&krbContext);
-
-    major = gssEapAllocName(minor, &name);
-    if (GSS_ERROR(major)) {
-        return major;
-    }
-
-    /* Lock mutex for copying mutable attributes */
-    GSSEAP_MUTEX_LOCK(&input_name->mutex);
-
-    *minor = krb5_copy_principal(krbContext, input_name->krbPrincipal,
-                                 &name->krbPrincipal);
-    if (*minor != 0) {
-        major = GSS_S_FAILURE;
-        goto cleanup;
-    }
-
-    if (input_name->attrCtx != NULL) {
-        major = gssEapDuplicateAttrContext(minor, input_name, name);
-        if (GSS_ERROR(major))
-            goto cleanup;
-    }
-
-    *dest_name = name;
-
-cleanup:
-    GSSEAP_MUTEX_UNLOCK(&input_name->mutex);
-
-    if (GSS_ERROR(major)) {
-        gssEapReleaseName(&tmpMinor, &name);
-    }
-
-    return major;
+    return gssEapDuplicateName(minor, input_name, dest_name);
 }

diff --git a/mech_eap/export_sec_context.c b/mech_eap/export_sec_context.c
index 2387dd6..5fc98aa 100644 (file)
--- a/mech_eap/export_sec_context.c
+++ b/mech_eap/export_sec_context.c
@@ -37,6 +37,7 @@ gssEapExportPartialContext(OM_uint32 *minor,
                            gss_ctx_id_t ctx,
                            gss_buffer_t token)
 {
+    /* XXX we also need to serialise the current server name */
     return duplicateBuffer(minor, &ctx->acceptorCtx.state, token);
 }
 

diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h
index 9b8247d..f93c105 100644 (file)
--- a/mech_eap/gssapiP_eap.h
+++ b/mech_eap/gssapiP_eap.h
@@ -185,4 +185,13 @@ gssEapUnwrapOrVerifyMIC(OM_uint32 *minor_status,
                         int iov_count,
                         enum gss_eap_token_type toktype);
 
+OM_uint32
+gssEapWrapIovLength(OM_uint32 *minor,
+                    gss_ctx_id_t ctx,
+                    int conf_req_flag,
+                    gss_qop_t qop_req,
+                    int *conf_state,
+                    gss_iov_buffer_desc *iov,
+                    int iov_count);
+
 #endif /* _GSSAPIP_EAP_H_ */

diff --git a/mech_eap/import_sec_context.c b/mech_eap/import_sec_context.c
index 3960b92..8aeb29c 100644 (file)
--- a/mech_eap/import_sec_context.c
+++ b/mech_eap/import_sec_context.c
@@ -43,6 +43,8 @@ gssEapImportPartialContext(OM_uint32 *minor,
     size_t remain = *pRemain;
     gss_buffer_desc buf;
 
+    /* XXX we also need to deserialise the current server name */
+
     if (remain < 4) {
         *minor = ERANGE;
         return GSS_S_DEFECTIVE_TOKEN;

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index 050f335..5fcbec8 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -313,11 +313,11 @@ eapGssSmInitIdentity(OM_uint32 *minor,
     else
         ctx->expiryTime = now + timeReq;
 
-    major = gss_duplicate_name(minor, cred->name, &ctx->initiatorName);
+    major = gssEapDuplicateName(minor, cred->name, &ctx->initiatorName);
     if (GSS_ERROR(major))
         return major;
 
-    major = gss_duplicate_name(minor, target, &ctx->acceptorName);
+    major = gssEapDuplicateName(minor, target, &ctx->acceptorName);
     if (GSS_ERROR(major))
         return major;
 
@@ -622,7 +622,7 @@ gss_init_sec_context(OM_uint32 *minor,
     if (ret_flags != NULL)
         *ret_flags = ctx->gssFlags;
     if (time_rec != NULL)
-        gss_context_time(&tmpMinor, ctx, time_rec);
+        gssEapContextTime(&tmpMinor, ctx, time_rec);
 
     assert(ctx->state == EAP_STATE_ESTABLISHED || major == GSS_S_CONTINUE_NEEDED);
 

diff --git a/mech_eap/inquire_context.c b/mech_eap/inquire_context.c
index 1daf446..0553040 100644 (file)
--- a/mech_eap/inquire_context.c
+++ b/mech_eap/inquire_context.c
@@ -53,13 +53,13 @@ gss_inquire_context(OM_uint32 *minor,
     }
 
     if (src_name != NULL) {
-        major = gss_duplicate_name(minor, ctx->initiatorName, src_name);
+        major = gssEapDuplicateName(minor, ctx->initiatorName, src_name);
         if (GSS_ERROR(major))
             goto cleanup;
     }
 
     if (targ_name != NULL) {
-        major = gss_duplicate_name(minor, ctx->acceptorName, targ_name);
+        major = gssEapDuplicateName(minor, ctx->acceptorName, targ_name);
         if (GSS_ERROR(major))
             goto cleanup;
     }

diff --git a/mech_eap/inquire_cred.c b/mech_eap/inquire_cred.c
index 2b34c4d..c74e617 100644 (file)
--- a/mech_eap/inquire_cred.c
+++ b/mech_eap/inquire_cred.c
@@ -43,7 +43,7 @@ gss_inquire_cred(OM_uint32 *minor,
     OM_uint32 major = GSS_S_COMPLETE;
 
     if (name != NULL) {
-        major = gss_duplicate_name(minor, cred->name, name);
+        major = gssEapDuplicateName(minor, cred->name, name);
         if (GSS_ERROR(major))
             goto cleanup;
     }

diff --git a/mech_eap/unwrap.c b/mech_eap/unwrap.c
index 64acb13..ca10b32 100644 (file)
--- a/mech_eap/unwrap.c
+++ b/mech_eap/unwrap.c
@@ -50,7 +50,8 @@ gss_unwrap(OM_uint32 *minor,
     iov[1].buffer.value = NULL;
     iov[1].buffer.length = 0;
 
-    major = gss_unwrap_iov(minor, ctx, conf_state, qop_state, iov, 2);
+    major = gssEapUnwrapOrVerifyMIC(minor, ctx, conf_state, qop_state,
+                                    iov, 2, TOK_TYPE_WRAP);
     if (major == GSS_S_COMPLETE) {
         *output_message_buffer = iov[1].buffer;
     } else {

diff --git a/mech_eap/util.h b/mech_eap/util.h
index 3b1305c..91a3eff 100644 (file)
--- a/mech_eap/util.h
+++ b/mech_eap/util.h
@@ -172,6 +172,17 @@ gssEapVerifyToken(OM_uint32 *minor,
                   enum gss_eap_token_type tokenType,
                   gss_buffer_t innerInputToken);
 
+OM_uint32
+gssEapContextTime(OM_uint32 *minor,
+                  gss_ctx_id_t context_handle,
+                  OM_uint32 *time_rec);
+
+OM_uint32
+gssEapDisplayName(OM_uint32 *minor,
+                  gss_name_t name,
+                  gss_buffer_t output_name_buffer,
+                  gss_OID *output_name_type);
+
 /* util_cred.c */
 OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
 OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
@@ -301,6 +312,10 @@ OM_uint32 gssEapImportNameInternal(OM_uint32 *minor,
                                    const gss_buffer_t input_name_buffer,
                                    gss_name_t *output_name,
                                    unsigned int flags);
+OM_uint32
+gssEapDuplicateName(OM_uint32 *minor,
+                    const gss_name_t input_name,
+                    gss_name_t *dest_name);
 
 /* util_oid.c */
 OM_uint32

diff --git a/mech_eap/util_context.c b/mech_eap/util_context.c
index 6d3b937..a96b452 100644 (file)
--- a/mech_eap/util_context.c
+++ b/mech_eap/util_context.c
@@ -195,3 +195,35 @@ gssEapVerifyToken(OM_uint32 *minor,
     *minor = 0;
     return GSS_S_COMPLETE;
 }
+
+OM_uint32
+gssEapContextTime(OM_uint32 *minor,
+                  gss_ctx_id_t context_handle,
+                  OM_uint32 *time_rec)
+{
+    if (context_handle == GSS_C_NO_CONTEXT) {
+        return GSS_S_NO_CONTEXT;
+    }
+
+    if (!CTX_IS_ESTABLISHED(context_handle)) {
+        return GSS_S_NO_CONTEXT;
+    }
+
+    *minor = 0;
+
+    if (context_handle->expiryTime == 0) {
+        *time_rec = GSS_C_INDEFINITE;
+    } else {
+        time_t now, lifetime;
+
+        time(&now);
+        lifetime = context_handle->expiryTime - now;
+        if (lifetime <= 0) {
+            *time_rec = 0;
+            return GSS_S_CONTEXT_EXPIRED;
+        }
+        *time_rec = lifetime;
+    }
+
+    return GSS_S_COMPLETE;
+}

diff --git a/mech_eap/util_cred.c b/mech_eap/util_cred.c
index bec6120..ab24151 100644 (file)
--- a/mech_eap/util_cred.c
+++ b/mech_eap/util_cred.c
@@ -125,7 +125,7 @@ gssEapAcquireCred(OM_uint32 *minor,
     }
 
     if (desiredName != GSS_C_NO_NAME) {
-        major = gss_duplicate_name(minor, desiredName, &cred->name);
+        major = gssEapDuplicateName(minor, desiredName, &cred->name);
         if (GSS_ERROR(major))
             goto cleanup;
     } else {
@@ -135,8 +135,8 @@ gssEapAcquireCred(OM_uint32 *minor,
             buf.value = getlogin(); /* XXX */
             buf.length = strlen((char *)buf.value);
 
-            major = gss_import_name(minor, &buf,
-                                    GSS_C_NT_USER_NAME, &cred->name);
+            major = gssEapImportName(minor, &buf,
+                                     GSS_C_NT_USER_NAME, &cred->name);
             if (GSS_ERROR(major))
                 goto cleanup;
         }

diff --git a/mech_eap/util_name.c b/mech_eap/util_name.c
index e64ebdd..f4a6338 100644 (file)
--- a/mech_eap/util_name.c
+++ b/mech_eap/util_name.c
@@ -458,3 +458,91 @@ cleanup:
 
     return major;
 }
+
+OM_uint32
+gssEapDuplicateName(OM_uint32 *minor,
+                    const gss_name_t input_name,
+                    gss_name_t *dest_name)
+{
+    OM_uint32 major, tmpMinor;
+    krb5_context krbContext;
+    gss_name_t name;
+
+    if (input_name == GSS_C_NO_NAME) {
+        *minor = EINVAL;
+        return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME;
+    }
+
+    GSSEAP_KRB_INIT(&krbContext);
+
+    major = gssEapAllocName(minor, &name);
+    if (GSS_ERROR(major)) {
+        return major;
+    }
+
+    /* Lock mutex for copying mutable attributes */
+    GSSEAP_MUTEX_LOCK(&input_name->mutex);
+
+    *minor = krb5_copy_principal(krbContext, input_name->krbPrincipal,
+                                 &name->krbPrincipal);
+    if (*minor != 0) {
+        major = GSS_S_FAILURE;
+        goto cleanup;
+    }
+
+    if (input_name->attrCtx != NULL) {
+        major = gssEapDuplicateAttrContext(minor, input_name, name);
+        if (GSS_ERROR(major))
+            goto cleanup;
+    }
+
+    *dest_name = name;
+
+cleanup:
+    GSSEAP_MUTEX_UNLOCK(&input_name->mutex);
+
+    if (GSS_ERROR(major)) {
+        gssEapReleaseName(&tmpMinor, &name);
+    }
+
+    return major;
+}
+
+OM_uint32
+gssEapDisplayName(OM_uint32 *minor,
+                  gss_name_t name,
+                  gss_buffer_t output_name_buffer,
+                  gss_OID *output_name_type)
+{
+    OM_uint32 major, tmpMinor;
+    krb5_context krbContext;
+    char *krbName;
+
+    GSSEAP_KRB_INIT(&krbContext);
+
+    output_name_buffer->length = 0;
+    output_name_buffer->value = NULL;
+
+    if (name == GSS_C_NO_NAME) {
+        *minor = EINVAL;
+        return GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME;
+    }
+
+    *minor = krb5_unparse_name(krbContext, name->krbPrincipal, &krbName);
+    if (*minor != 0) {
+        return GSS_S_FAILURE;
+    }
+
+    major = makeStringBuffer(minor, krbName, output_name_buffer);
+    if (GSS_ERROR(major)) {
+        krb5_free_unparsed_name(krbContext, krbName);
+        return major;
+    }
+
+    krb5_free_unparsed_name(krbContext, krbName);
+
+    if (output_name_type != NULL)
+        *output_name_type = GSS_EAP_NT_PRINCIPAL_NAME;
+
+    return GSS_S_COMPLETE;
+}

diff --git a/mech_eap/util_radius.cpp b/mech_eap/util_radius.cpp
index 111bad6..081b9cb 100644 (file)
--- a/mech_eap/util_radius.cpp
+++ b/mech_eap/util_radius.cpp
@@ -153,7 +153,7 @@ isHiddenAttributeP(int attrid, int vendor)
         default:
             break;
         }
-    case VENDOR_ID_GSS_EAP:
+    case VENDOR_ID_UKERNA:
         ret = true;
         break;
     default:

diff --git a/mech_eap/util_radius.h b/mech_eap/util_radius.h
index cc84900..3446fab 100644 (file)
--- a/mech_eap/util_radius.h
+++ b/mech_eap/util_radius.h
@@ -142,9 +142,9 @@ enum { VENDOR_ATTR_MS_MPPE_SEND_KEY = 16,
        VENDOR_ATTR_MS_MPPE_RECV_KEY = 17
 };
 
-#define VENDOR_ID_GSS_EAP   5322    /* XXX TODO assign */
+#define VENDOR_ID_UKERNA    25622
 
-enum { VENDOR_ATTR_GSS_ACCEPTOR_SERVICE_NAME = 1,
+enum { VENDOR_ATTR_GSS_ACCEPTOR_SERVICE_NAME = 128,
        VENDOR_ATTR_GSS_ACCEPTOR_HOST_NAME,
        VENDOR_ATTR_GSS_ACCEPTOR_REALM_NAME,
        VENDOR_ATTR_SAML_AAA_ASSERTION

diff --git a/mech_eap/util_saml.cpp b/mech_eap/util_saml.cpp
index 922b64c..cb539c2 100644 (file)
--- a/mech_eap/util_saml.cpp
+++ b/mech_eap/util_saml.cpp
@@ -35,8 +35,11 @@
 #include <sstream>
 
 #include <xercesc/util/XMLUniDefs.hpp>
+#include <xmltooling/unicode.h>
 #include <xmltooling/XMLToolingConfig.h>
 #include <xmltooling/util/XMLHelper.h>
+#include <xmltooling/util/ParserPool.h>
+#include <xmltooling/util/DateTime.h>
 
 #include <saml/saml1/core/Assertions.h>
 #include <saml/saml2/core/Assertions.h>
@@ -96,11 +99,14 @@ gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *mana
     if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
         return false;
 
+    /*
+     * XXX TODO we need to support draft-howlett-radius-saml-attr-00
+     */
     radius = static_cast<const gss_eap_radius_attr_provider *>
         (m_manager->getProvider(ATTR_TYPE_RADIUS));
     if (radius != NULL &&
         radius->getFragmentedAttribute(VENDOR_ATTR_SAML_AAA_ASSERTION,
-                                       VENDOR_ID_GSS_EAP,
+                                       VENDOR_ID_UKERNA,
                                        &authenticated, &complete, &value)) {
         setAssertion(&value, authenticated);
         gss_release_buffer(&minor, &value);
@@ -120,7 +126,9 @@ gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
 
     if (assertion != NULL) {
 #if 0
-        m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
+        XMLObject *tmp = assertion->clone();
+        m_assertion = dynamic_cast<saml2::Assertion *>(tmp);
+//        m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
 #else
         m_assertion = (saml2::Assertion *)((void *)assertion->clone());
 #endif

diff --git a/mech_eap/util_shib.cpp b/mech_eap/util_shib.cpp
index b469aed..f7cd1d0 100644 (file)
--- a/mech_eap/util_shib.cpp
+++ b/mech_eap/util_shib.cpp
@@ -47,19 +47,18 @@
 
 #include <shibsp/exceptions.h>
 #include <shibsp/attribute/SimpleAttribute.h>
-#include <shibsp/handler/AssertionConsumerService.h>
 
 #include <shibresolver/resolver.h>
 
+#include <sstream>
+
 #include "gssapiP_eap.h"
 
 using namespace shibsp;
 using namespace shibresolver;
 using namespace opensaml::saml2md;
 using namespace opensaml;
-using namespace xmltooling::logging;
 using namespace xmltooling;
-using namespace xercesc;
 using namespace std;
 
 gss_eap_shib_attr_provider::gss_eap_shib_attr_provider(void)
@@ -165,7 +164,7 @@ gss_eap_shib_attr_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
     resolver = ShibbolethResolver::create();
 
     if (gssCred != GSS_C_NO_CREDENTIAL &&
-        gss_display_name(&minor, gssCred->name, &nameBuf, NULL) == GSS_S_COMPLETE)
+        gssEapDisplayName(&minor, gssCred->name, &nameBuf, NULL) == GSS_S_COMPLETE)
         resolver->setApplicationID((const char *)nameBuf.value);
 
     m_authenticated = false;
@@ -190,14 +189,6 @@ gss_eap_shib_attr_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
 
     delete resolver;
 
-#if 0
-    gss_buffer_desc testattr = {
-        sizeof("urn:greet:greeting") - 1, (void *)"urn:greet:greeting" };
-    gss_buffer_desc testval =
-        { sizeof("Hello, GSS EAP.") - 1, (void *)"Hello, GSS EAP." };
-    setAttribute(true, &testattr, &testval);
-#endif /* GSSEAP_DEBUG */
-
     return true;
 }
 

diff --git a/mech_eap/wrap.c b/mech_eap/wrap.c
index 5f81544..4208e91 100644 (file)
--- a/mech_eap/wrap.c
+++ b/mech_eap/wrap.c
@@ -46,6 +46,9 @@ gss_wrap(OM_uint32 *minor,
     unsigned char *p;
     int i;
 
+    if (!CTX_IS_ESTABLISHED(ctx))
+        return GSS_S_NO_CONTEXT;
+
     iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
     iov[0].buffer.value = NULL;
     iov[0].buffer.length = 0;
@@ -61,7 +64,7 @@ gss_wrap(OM_uint32 *minor,
     iov[3].buffer.value = NULL;
     iov[3].buffer.length = 0;
 
-    major = gss_wrap_iov_length(minor, ctx, conf_req_flag, qop_req,
+    major = gssEapWrapIovLength(minor, ctx, conf_req_flag, qop_req,
                                 NULL, iov, 4);
     if (GSS_ERROR(major)) {
         return major;
@@ -85,7 +88,8 @@ gss_wrap(OM_uint32 *minor,
         p += iov[i].buffer.length;
     }
 
-    major = gss_wrap_iov(minor, ctx, conf_req_flag, qop_req, conf_state, iov, 4);
+    major = gssEapWrapOrGetMIC(minor, ctx, conf_req_flag, conf_state,
+                               iov, 4, TOK_TYPE_WRAP);
     if (GSS_ERROR(major)) {
         gss_release_buffer(&tmpMinor, output_message_buffer);
     }

diff --git a/mech_eap/wrap_iov.c b/mech_eap/wrap_iov.c
index 41d7754..9a10fe3 100644 (file)
--- a/mech_eap/wrap_iov.c
+++ b/mech_eap/wrap_iov.c
@@ -319,5 +319,5 @@ gss_wrap_iov(OM_uint32 *minor,
         return GSS_S_NO_CONTEXT;
 
     return gssEapWrapOrGetMIC(minor, ctx, conf_req_flag, conf_state,
-                             iov, iov_count, TOK_TYPE_WRAP);
+                              iov, iov_count, TOK_TYPE_WRAP);
 }

diff --git a/mech_eap/wrap_iov_length.c b/mech_eap/wrap_iov_length.c
index 9456906..c451cb2 100644 (file)
--- a/mech_eap/wrap_iov_length.c
+++ b/mech_eap/wrap_iov_length.c
@@ -60,7 +60,7 @@
     while (0)
 
 OM_uint32
-gss_wrap_iov_length(OM_uint32 *minor,
+gssEapWrapIovLength(OM_uint32 *minor,
                     gss_ctx_id_t ctx,
                     int conf_req_flag,
                     gss_qop_t qop_req,
@@ -178,3 +178,16 @@ gss_wrap_iov_length(OM_uint32 *minor,
     *minor = 0;
     return GSS_S_COMPLETE;
 }
+
+OM_uint32
+gss_wrap_iov_length(OM_uint32 *minor,
+                    gss_ctx_id_t ctx,
+                    int conf_req_flag,
+                    gss_qop_t qop_req,
+                    int *conf_state,
+                    gss_iov_buffer_desc *iov,
+                    int iov_count)
+{
+    return gssEapWrapIovLength(minor, ctx, conf_req_flag, qop_req,
+                               conf_state, iov, iov_count);
+}

diff --git a/mech_eap/wrap_size_limit.c b/mech_eap/wrap_size_limit.c
index 39906dd..0e640ae 100644 (file)
--- a/mech_eap/wrap_size_limit.c
+++ b/mech_eap/wrap_size_limit.c
@@ -59,7 +59,7 @@ gss_wrap_size_limit(OM_uint32 *minor,
     iov[3].buffer.value = NULL;
     iov[3].buffer.length = 0;
 
-    major = gss_wrap_iov_length(minor, ctx, conf_req_flag, qop_req,
+    major = gssEapWrapIovLength(minor, ctx, conf_req_flag, qop_req,
                                 NULL, iov, 4);
     if (GSS_ERROR(major)) {
         return major;