gss_OID actualMech = GSS_C_NO_OID;
OM_uint32 gssFlags, timeRec;
- GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
-
+ /*
+ * Here we use the passed in credential handle because the resolved
+ * context credential does not currently have the reauth creds.
+ */
if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) {
if (!gssEapCanReauthP(cred, target, timeReq))
return GSS_S_CONTINUE_NEEDED;
goto cleanup;
}
+ GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
+
major = gssEapMechToGlueName(minor, target, &mechTarget);
if (GSS_ERROR(major))
goto cleanup;
OM_uint32 *smFlags)
{
OM_uint32 major;
- gss_buffer_desc buffer = GSS_C_EMPTY_BUFFER;
+ krb5_error_code code;
+ krb5_context krbContext;
+ krb5_data data;
+ krb5_checksum cksum;
+ gss_buffer_desc cksumBuffer;
- if (chanBindings != GSS_C_NO_CHANNEL_BINDINGS)
- buffer = chanBindings->application_data;
+ if (chanBindings == GSS_C_NO_CHANNEL_BINDINGS ||
+ chanBindings->application_data.length == 0)
+ return GSS_S_CONTINUE_NEEDED;
- major = gssEapWrap(minor, ctx, TRUE, GSS_C_QOP_DEFAULT,
- &buffer, NULL, outputToken);
- if (GSS_ERROR(major))
- return major;
+ GSSEAP_KRB_INIT(&krbContext);
- GSSEAP_ASSERT(outputToken->value != NULL);
+ KRB_DATA_INIT(&data);
+
+ gssBufferToKrbData(&chanBindings->application_data, &data);
+
+ code = krb5_c_make_checksum(krbContext, ctx->checksumType,
+ &ctx->rfc3961Key,
+ KEY_USAGE_GSSEAP_CHBIND_MIC,
+ &data, &cksum);
+ if (code != 0) {
+ *minor = code;
+ return GSS_S_FAILURE;
+ }
+
+ cksumBuffer.length = KRB_CHECKSUM_LENGTH(&cksum);
+ cksumBuffer.value = KRB_CHECKSUM_DATA(&cksum);
+
+ major = duplicateBuffer(minor, &cksumBuffer, outputToken);
+ if (GSS_ERROR(major)) {
+ krb5_free_checksum_contents(krbContext, &cksum);
+ return major;
+ }
*minor = 0;
*smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
+ krb5_free_checksum_contents(krbContext, &cksum);
+
return GSS_S_CONTINUE_NEEDED;
}
return GSS_S_CONTINUE_NEEDED;
}
-
+
#ifdef GSSEAP_ENABLE_REAUTH
static OM_uint32
eapGssSmInitReauthCreds(OM_uint32 *minor,
ITOK_TYPE_NONE,
ITOK_TYPE_GSS_CHANNEL_BINDINGS,
GSSEAP_STATE_INITIATOR_EXTS,
- SM_ITOK_FLAG_REQUIRED,
+ 0,
eapGssSmInitGssChannelBindings
},
{
OM_uint32 major, tmpMinor;
int initialContextToken = (ctx->mechanismUsed == GSS_C_NO_OID);
+ /*
+ * XXX is acquiring the credential lock here necessary? The password is
+ * mutable but the contract could specify that this is not updated whilst
+ * a context is being initialized.
+ */
if (cred != GSS_C_NO_CREDENTIAL)
GSSEAP_MUTEX_LOCK(&cred->mutex);
output_token->length = 0;
output_token->value = NULL;
- GSSEAP_ASSERT(ctx == GSS_C_NO_CONTEXT || ctx->mechanismUsed != GSS_C_NO_OID);
-
if (ctx == GSS_C_NO_CONTEXT) {
if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
*minor = GSSEAP_WRONG_SIZE;