eapGssSmAcceptGssReauth(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target,
+ gss_const_name_t target,
gss_OID mech,
OM_uint32 reqFlags,
OM_uint32 timeReq,
eapGssSmAcceptAcceptorName(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptVendorInfo(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx GSSEAP_UNUSED,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptIdentity(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
* Choose the correct error for an access reject packet.
*/
static OM_uint32
-eapGssAcceptHandleReject(
- OM_uint32 *minor,
+eapGssAcceptHandleReject(OM_uint32 *minor,
struct rs_packet *response)
{
rs_avp **vps;
- rs_const_avp *vp = NULL;
+ rs_const_avp *vp = NULL;
OM_uint32 major;
- const char * reply_message = NULL;
+ const char *reply_message = NULL;
size_t reply_length = 0;
rs_packet_avps(response, &vps);
PW_ERROR_CAUSE, 0, &vp);
if (!GSS_ERROR(major)) {
switch (rs_avp_integer_value(vp)) {
- /* Values from http://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-18 */
- case 502: /*request not routable (proxy)*/
+ /* Values from http://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-18 */
+ case 502: /* request not routable (proxy) */
*minor = GSSEAP_RADIUS_UNROUTABLE;
break;
- case 501: /*administratively prohibited*/
+ case 501: /* administratively prohibited */
*minor = GSSEAP_RADIUS_ADMIN_PROHIBIT;
break;
*minor = GSSEAP_RADIUS_AUTH_FAILURE;
break;
}
- } else *minor = GSSEAP_RADIUS_AUTH_FAILURE;
+ } else
+ *minor = GSSEAP_RADIUS_AUTH_FAILURE;
- if (reply_message)
+ if (reply_message != NULL)
gssEapSaveStatusInfo(*minor, "%s: %.*s", error_message(*minor),
reply_length, reply_message);
- else gssEapSaveStatusInfo( *minor, "%s", error_message(*minor));
+ else
+ gssEapSaveStatusInfo(*minor, "%s", error_message(*minor));
+
return GSS_S_DEFECTIVE_CREDENTIAL;
}
+
/*
* Process a EAP response from the initiator.
*/
eapGssSmAcceptAuthenticate(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptGssFlags(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptGssChannelBindings(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
krb5_data data;
krb5_checksum cksum;
krb5_boolean valid = FALSE;
+#ifdef HAVE_HEIMDAL_VERSION
+ krb5_crypto krbCrypto;
+#endif
if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS ||
chanBindings->application_data.length == 0)
KRB_CHECKSUM_INIT(&cksum, ctx->checksumType, inputToken);
+#ifdef HAVE_HEIMDAL_VERSION
+ code = krb5_crypto_init(krbContext, &ctx->rfc3961Key, 0, &krbCrypto);
+ if (code != 0) {
+ *minor = code;
+ return GSS_S_FAILURE;
+ }
+
+ code = krb5_verify_checksum(krbContext, krbCrypto,
+ KEY_USAGE_GSSEAP_CHBIND_MIC,
+ data.data, data.length, &cksum);
+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
+ code = 0;
+ valid = FALSE;
+ } else if (code == 0) {
+ valid = TRUE;
+ }
+
+ krb5_crypto_destroy(krbContext, krbCrypto);
+#else
code = krb5_c_verify_checksum(krbContext, &ctx->rfc3961Key,
KEY_USAGE_GSSEAP_CHBIND_MIC,
&data, &cksum, &valid);
+#endif /* HAVE_HEIMDAL_VERSION */
if (code != 0) {
*minor = code;
return GSS_S_FAILURE;
eapGssSmAcceptInitiatorMIC(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptReauthCreds(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptAcceptorMIC(OM_uint32 *minor,
gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
eapGssSmAcceptGssReauth(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
- gss_name_t target GSSEAP_UNUSED,
+ gss_const_name_t target GSSEAP_UNUSED,
gss_OID mech,
OM_uint32 reqFlags GSSEAP_UNUSED,
OM_uint32 timeReq GSSEAP_UNUSED,
OM_uint32 GSSAPI_CALLCONV
gss_accept_sec_context(OM_uint32 *minor,
gss_ctx_id_t *context_handle,
+#ifdef HAVE_HEIMDAL_VERSION
+ gss_const_cred_id_t cred,
+#else
gss_cred_id_t cred,
+#endif
gss_buffer_t input_token,
gss_channel_bindings_t input_chan_bindings,
gss_name_t *src_name,
major = gssEapAcceptSecContext(minor,
ctx,
- cred,
+ (gss_cred_id_t)cred,
input_token,
input_chan_bindings,
src_name,
gssEapReleaseContext(&tmpMinor, context_handle);
gssEapTraceStatus("gss_accept_sec_context", major, *minor);
+
return major;
}