return GSS_S_FAILURE;
}
- *minor = krb5_init_context(&ctx->kerberosCtx);
- if (*minor != 0) {
+ if (GSSEAP_MUTEX_INIT(&ctx->mutex) != 0) {
+ *minor = errno;
gssEapReleaseContext(&tmpMinor, &ctx);
return GSS_S_FAILURE;
}
+ ctx->state = EAP_STATE_AUTHENTICATE;
+
+ /*
+ * Integrity, confidentiality, sequencing and replay detection are
+ * always available. Regardless of what flags are requested in
+ * GSS_Init_sec_context, implementations MUST set the flag corresponding
+ * to these services in the output of GSS_Init_sec_context and
+ * GSS_Accept_sec_context.
+ */
+ ctx->gssFlags = GSS_C_INTEG_FLAG |
+ GSS_C_CONF_FLAG |
+ GSS_C_SEQUENCE_FLAG |
+ GSS_C_REPLAY_FLAG;
+
*pCtx = ctx;
return GSS_S_COMPLETE;
gssEapReleaseContext(OM_uint32 *minor,
gss_ctx_id_t *pCtx)
{
- OM_uint32 major, tmpMinor;
+ OM_uint32 tmpMinor;
gss_ctx_id_t ctx = *pCtx;
+ krb5_context krbContext = NULL;
if (ctx == GSS_C_NO_CONTEXT) {
return GSS_S_COMPLETE;
}
+ gssEapKerberosInit(&tmpMinor, &krbContext);
+
if (CTX_IS_INITIATOR(ctx)) {
releaseInitiatorContext(&ctx->initiatorCtx);
} else {
releaseAcceptorContext(&ctx->acceptorCtx);
}
- if (ctx->rfc3961Key != NULL) {
- krb5_free_keyblock(ctx->kerberosCtx, ctx->rfc3961Key);
- }
-
- if (ctx->kerberosCtx != NULL) {
- krb5_free_context(ctx->kerberosCtx);
- }
-
+ krb5_free_keyblock_contents(krbContext, &ctx->rfc3961Key);
gssEapReleaseName(&tmpMinor, &ctx->initiatorName);
gssEapReleaseName(&tmpMinor, &ctx->acceptorName);
gss_release_oid(&tmpMinor, &ctx->mechanismUsed);
sequenceFree(ctx->seqState);
+ GSSEAP_MUTEX_DESTROY(&ctx->mutex);
+
memset(ctx, 0, sizeof(*ctx));
GSSEAP_FREE(ctx);
*pCtx = GSS_C_NO_CONTEXT;
*minor = 0;
return GSS_S_COMPLETE;
}
+
+OM_uint32
+gssEapMakeToken(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ const gss_buffer_t innerToken,
+ enum gss_eap_token_type tokenType,
+ gss_buffer_t outputToken)
+{
+ unsigned char *p;
+
+ outputToken->length = tokenSize(ctx->mechanismUsed, innerToken->length);
+ outputToken->value = GSSEAP_MALLOC(outputToken->length);
+ if (outputToken->value == NULL) {
+ *minor = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+
+ p = (unsigned char *)outputToken->value;
+ makeTokenHeader(ctx->mechanismUsed, innerToken->length, &p, tokenType);
+ memcpy(p, innerToken->value, innerToken->length);
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gssEapVerifyToken(OM_uint32 *minor,
+ gss_ctx_id_t ctx,
+ const gss_buffer_t inputToken,
+ enum gss_eap_token_type tokenType,
+ gss_buffer_t innerInputToken)
+{
+ OM_uint32 major;
+ size_t bodySize;
+ unsigned char *p = (unsigned char *)inputToken->value;
+ gss_OID_desc oidBuf;
+ gss_OID oid;
+
+ if (ctx->mechanismUsed != GSS_C_NO_OID) {
+ oid = ctx->mechanismUsed;
+ } else {
+ oidBuf.elements = NULL;
+ oidBuf.length = 0;
+ oid = &oidBuf;
+ }
+
+ major = verifyTokenHeader(oid, &bodySize, &p, inputToken->length, tokenType);
+ if (GSS_ERROR(major))
+ return major;
+
+ if (ctx->mechanismUsed != GSS_C_NO_OID) {
+ if (!gssEapIsConcreteMechanismOid(oid))
+ return GSS_S_BAD_MECH;
+
+ if (!gssEapInternalizeOid(oid, &ctx->mechanismUsed)) {
+ major = duplicateOid(minor, oid, &ctx->mechanismUsed);
+ if (GSS_ERROR(major))
+ return major;
+ }
+ }
+
+ innerInputToken->length = bodySize;
+ innerInputToken->value = p;
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+}