Updated through tag hostap_2_5 from git://w1.fi/hostap.git

[mech_eap.git] / mech_eap / init_sec_context.c

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index 60d15ba..a9d8891 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -40,6 +40,11 @@
 #include "util_radius.h"
 #include "utils/radius_utils.h"
 
+/* methods allowed for phase1 authentication*/
+static const struct eap_method_type allowed_eap_method_types[] = {
+    {EAP_VENDOR_IETF, EAP_TYPE_TTLS},
+    {EAP_VENDOR_IETF, EAP_TYPE_NONE}};
+
 static OM_uint32
 policyVariableToFlag(enum eapol_bool_var variable)
 {
@@ -73,6 +78,9 @@ policyVariableToFlag(enum eapol_bool_var variable)
     case EAPOL_altReject:
         flag = CTX_FLAG_EAP_ALT_REJECT;
         break;
+    case EAPOL_eapTriggerStart:
+        flag = CTX_FLAG_EAP_TRIGGER_START;
+        break;
     }
 
     return flag;
@@ -180,6 +188,8 @@ peerGetConfigBlob(void *ctx,
         index = CONFIG_BLOB_CLIENT_CERT;
     else if (strcmp(name, "private-key") == 0)
         index = CONFIG_BLOB_PRIVATE_KEY;
+    else if (strcmp(name, "ca-cert") == 0)
+        index = CONFIG_BLOB_CA_CERT;
     else
         return NULL;
 
@@ -203,9 +213,6 @@ static struct eapol_callbacks gssEapPolicyCallbacks = {
     peerNotifyPending,
 };
 
-#ifdef GSSEAP_DEBUG
-extern int wpa_debug_level;
-#endif
 
 #define CHBIND_SERVICE_NAME_FLAG        0x01
 #define CHBIND_HOST_NAME_FLAG           0x02
@@ -274,6 +281,9 @@ peerInitEapChannelBinding(OM_uint32 *minor, gss_ctx_id_t ctx)
         major = gssEapRadiusAddAttr(minor, &buf,
                                     PW_GSS_ACCEPTOR_REALM_NAME,
                                     0, &nameBuf);
+        if (GSS_ERROR(major))
+            goto cleanup;
+
         chbindReqFlags |= CHBIND_REALM_NAME_FLAG;
     }
 
@@ -363,16 +373,14 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
     eapPeerConfig->anonymous_identity_len = 0;
     eapPeerConfig->password = NULL;
     eapPeerConfig->password_len = 0;
+    eapPeerConfig->eap_methods = (struct eap_method_type *) allowed_eap_method_types;
 
     GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
 
     GSSEAP_KRB_INIT(&krbContext);
 
     eapPeerConfig->fragment_size = 1024;
-#ifdef GSSEAP_DEBUG
-    wpa_debug_level = 0;
-#endif
-
+    
     GSSEAP_ASSERT(cred->name != GSS_C_NO_NAME);
 
     if ((cred->name->flags & (NAME_FLAG_NAI | NAME_FLAG_SERVICE)) == 0) {
@@ -412,6 +420,8 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
     eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value;
     eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value;
     eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
+    configBlobs[CONFIG_BLOB_CA_CERT].data = cred->caCertificateBlob.value;
+    configBlobs[CONFIG_BLOB_CA_CERT].len = cred->caCertificateBlob.length;
 
     /* eap channel binding */
     if (ctx->initiatorCtx.chbindData != NULL) {
@@ -451,7 +461,7 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
             eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value;
             eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value;
         }
-        eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value;
+        eapPeerConfig->private_key_passwd = (char *)cred->password.value;
     }
 
     *minor = 0;
@@ -616,7 +626,10 @@ eapGssSmInitError(OM_uint32 *minor,
     p = (unsigned char *)inputToken->value;
 
     major = load_uint32_be(&p[0]);
-    *minor = ERROR_TABLE_BASE_eapg + load_uint32_be(&p[4]);
+    *minor =  load_uint32_be(&p[4]);
+    if ((*minor >0) && (*minor < 128))
+      * minor += ERROR_TABLE_BASE_eapg;
+    else *minor = 0;
 
     if (!GSS_ERROR(major) || !IS_WIRE_ERROR(*minor)) {
         major = GSS_S_FAILURE;
@@ -964,6 +977,11 @@ eapGssSmInitGssFlags(OM_uint32 *minor,
     unsigned char wireFlags[4];
     gss_buffer_desc flagsBuf;
 
+    /*
+     * As a temporary measure, force mutual authentication until channel binding is
+     * more widely deployed.
+     */
+    ctx->gssFlags |= GSS_C_MUTUAL_FLAG;
     store_uint32_be(ctx->gssFlags & GSSEAP_WIRE_FLAGS_MASK, wireFlags);
 
     flagsBuf.length = sizeof(wireFlags);
@@ -1101,11 +1119,6 @@ eapGssSmInitAcceptorMIC(OM_uint32 *minor,
     if (GSS_ERROR(major))
         return major;
 
-    /*
-     * As a temporary measure, force mutual authentication until channel binding is
-     * more widely deployed.
-     */
-    ctx->gssFlags |= GSS_C_MUTUAL_FLAG;
     GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
 
     *minor = 0;
@@ -1352,5 +1365,6 @@ gss_init_sec_context(OM_uint32 *minor,
     if (GSS_ERROR(major))
         gssEapReleaseContext(&tmpMinor, context_handle);
 
+    gssEapTraceStatus( "gss_init_sec_context", major, *minor);
     return major;
 }