Better error reporting through com_err

[mech_eap.git] / util_context.c

diff --git a/util_context.c b/util_context.c
index fab4313..ae3712a 100644 (file)
--- a/util_context.c
+++ b/util_context.c
@@ -53,11 +53,20 @@ gssEapAllocContext(OM_uint32 *minor,
         return GSS_S_FAILURE;
     }
 
-    *minor = krb5_init_context(&ctx->kerberosCtx);
-    if (*minor != 0) {
-        gssEapReleaseContext(&tmpMinor, &ctx);
-        return GSS_S_FAILURE;
-    }
+    ctx->state = EAP_STATE_IDENTITY;
+
+    /*
+     * Integrity, confidentiality, sequencing and replay detection are
+     * always available.  Regardless of what flags are requested in
+     * GSS_Init_sec_context, implementations MUST set the flag corresponding
+     * to these services in the output of GSS_Init_sec_context and
+     * GSS_Accept_sec_context.
+    */
+    ctx->gssFlags = GSS_C_TRANS_FLAG    |   /* exporting contexts */
+                    GSS_C_INTEG_FLAG    |   /* integrity */
+                    GSS_C_CONF_FLAG     |   /* confidentiality */
+                    GSS_C_SEQUENCE_FLAG |   /* sequencing */
+                    GSS_C_REPLAY_FLAG;      /* replay detection */
 
     *pCtx = ctx;
 
@@ -65,46 +74,60 @@ gssEapAllocContext(OM_uint32 *minor,
 }
 
 static void
-releaseInitiatorContext(struct eap_gss_initiator_ctx *ctx)
+releaseInitiatorContext(struct gss_eap_initiator_ctx *ctx)
 {
+    OM_uint32 minor;
+
+    gssEapReleaseCred(&minor, &ctx->defaultCred);
     eap_peer_sm_deinit(ctx->eap);
-    wpabuf_free(ctx->eapReqData);
 }
 
 static void
-releaseAcceptorContext(struct eap_gss_acceptor_ctx *ctx)
+releaseAcceptorContext(struct gss_eap_acceptor_ctx *ctx)
 {
+    OM_uint32 tmpMinor;
+
+    if (ctx->radConn != NULL)
+        rs_conn_destroy(ctx->radConn);
+    if (ctx->radHandle != NULL)
+        rs_context_destroy(ctx->radHandle);
+    if (ctx->radServer != NULL)
+        GSSEAP_FREE(ctx->radServer);
+    gss_release_buffer(&tmpMinor, &ctx->state);
+    if (ctx->vps != NULL)
+        gssEapRadiusFreeAvps(&tmpMinor, &ctx->vps);
 }
 
 OM_uint32
 gssEapReleaseContext(OM_uint32 *minor,
                      gss_ctx_id_t *pCtx)
 {
-    OM_uint32 major, tmpMinor;
+    OM_uint32 tmpMinor;
     gss_ctx_id_t ctx = *pCtx;
+    krb5_context krbContext = NULL;
 
     if (ctx == GSS_C_NO_CONTEXT) {
         return GSS_S_COMPLETE;
     }
 
+    gssEapKerberosInit(&tmpMinor, &krbContext);
+
+#ifdef GSSEAP_ENABLE_REAUTH
+    if (ctx->flags & CTX_FLAG_KRB_REAUTH_GSS) {
+        gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
+    } else
+#endif
     if (CTX_IS_INITIATOR(ctx)) {
         releaseInitiatorContext(&ctx->initiatorCtx);
     } else {
         releaseAcceptorContext(&ctx->acceptorCtx);
     }
 
-    if (ctx->rfc3961Key != NULL) {
-        krb5_free_keyblock(ctx->kerberosCtx, ctx->rfc3961Key);
-    }
-
-    if (ctx->kerberosCtx != NULL) {
-        krb5_free_context(ctx->kerberosCtx);
-    }
-
+    krb5_free_keyblock_contents(krbContext, &ctx->rfc3961Key);
     gssEapReleaseName(&tmpMinor, &ctx->initiatorName);
     gssEapReleaseName(&tmpMinor, &ctx->acceptorName);
     gss_release_oid(&tmpMinor, &ctx->mechanismUsed);
-    sequenceFree(ctx->seqState);
+    sequenceFree(&tmpMinor, &ctx->seqState);
 
     GSSEAP_MUTEX_DESTROY(&ctx->mutex);
 
@@ -115,3 +138,95 @@ gssEapReleaseContext(OM_uint32 *minor,
     *minor = 0;
     return GSS_S_COMPLETE;
 }
+
+OM_uint32
+gssEapMakeToken(OM_uint32 *minor,
+                gss_ctx_id_t ctx,
+                const gss_buffer_t innerToken,
+                enum gss_eap_token_type tokenType,
+                gss_buffer_t outputToken)
+{
+    unsigned char *p;
+
+    outputToken->length = tokenSize(ctx->mechanismUsed, innerToken->length);
+    outputToken->value = GSSEAP_MALLOC(outputToken->length);
+    if (outputToken->value == NULL) {
+        *minor = ENOMEM;
+        return GSS_S_FAILURE;
+    }
+
+    p = (unsigned char *)outputToken->value;
+    makeTokenHeader(ctx->mechanismUsed, innerToken->length, &p, tokenType);
+    memcpy(p, innerToken->value, innerToken->length);
+
+    *minor = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gssEapVerifyToken(OM_uint32 *minor,
+                  gss_ctx_id_t ctx,
+                  const gss_buffer_t inputToken,
+                  enum gss_eap_token_type *actualToken,
+                  gss_buffer_t innerInputToken)
+{
+    OM_uint32 major;
+    size_t bodySize;
+    unsigned char *p = (unsigned char *)inputToken->value;
+    gss_OID_desc oidBuf;
+    gss_OID oid;
+
+    if (ctx->mechanismUsed != GSS_C_NO_OID) {
+        oid = ctx->mechanismUsed;
+    } else {
+        oidBuf.elements = NULL;
+        oidBuf.length = 0;
+        oid = &oidBuf;
+    }
+
+    major = verifyTokenHeader(minor, oid, &bodySize, &p,
+                              inputToken->length, actualToken);
+    if (GSS_ERROR(major))
+        return major;
+
+    if (ctx->mechanismUsed == GSS_C_NO_OID) {
+        if (!gssEapIsConcreteMechanismOid(oid)) {
+            *minor = GSSEAP_WRONG_MECH;
+            return GSS_S_BAD_MECH;
+        }
+
+        if (!gssEapInternalizeOid(oid, &ctx->mechanismUsed)) {
+            major = duplicateOid(minor, oid, &ctx->mechanismUsed);
+            if (GSS_ERROR(major))
+                return major;
+        }
+    }
+
+    innerInputToken->length = bodySize;
+    innerInputToken->value = p;
+
+    *minor = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gssEapContextTime(OM_uint32 *minor,
+                  gss_ctx_id_t context_handle,
+                  OM_uint32 *time_rec)
+{
+    if (context_handle->expiryTime == 0) {
+        *time_rec = GSS_C_INDEFINITE;
+    } else {
+        time_t now, lifetime;
+
+        time(&now);
+        lifetime = context_handle->expiryTime - now;
+        if (lifetime <= 0) {
+            *time_rec = 0;
+            return GSS_S_CONTEXT_EXPIRED;
+        }
+        *time_rec = lifetime;
+    }
+
+    return GSS_S_COMPLETE;
+}