Send acceptor name and verify

author Sam Hartman <hartmans@debian.org>

Tue, 11 Sep 2012 19:50:30 +0000 (15:50 -0400)

committer Sam Hartman <hartmans@debian.org>

Wed, 12 Sep 2012 20:31:28 +0000 (16:31 -0400)
author Sam Hartman <hartmans@debian.org>
Tue, 11 Sep 2012 19:50:30 +0000 (15:50 -0400)
committer Sam Hartman <hartmans@debian.org>
Wed, 12 Sep 2012 20:31:28 +0000 (16:31 -0400)
diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c

index cd51e70..ded1ec8 100644 (file)
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -851,6 +851,13 @@ static struct gss_eap_sm eapGssAcceptorSm[] = {
  #endif
      {
          ITOK_TYPE_NONE,
+        ITOK_TYPE_ACCEPTOR_NAME_RESP,
+        GSSEAP_STATE_ACCEPTOR_EXTS,
+        0,
+        eapGssSmAcceptAcceptorName
+    },
+    {
+        ITOK_TYPE_NONE,
          ITOK_TYPE_ACCEPTOR_MIC,
          GSSEAP_STATE_ACCEPTOR_EXTS,
          0,
diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c

index a123626..fa4d832 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -561,17 +561,36 @@ eapGssSmInitAcceptorName(OM_uint32 *minor,
                                    outputToken, NULL);
          if (GSS_ERROR(major))
              return major;
-    } else if (inputToken != GSS_C_NO_BUFFER &&
-               ctx->acceptorName == GSS_C_NO_NAME) {
-        /* Accept target name hint from acceptor */
+    } else if (inputToken != GSS_C_NO_BUFFER) {
+        /* Accept target name hint from acceptor or verify acceptor*/
+       gss_name_t importedName;
          major = gssEapImportName(minor, inputToken,
                                   GSS_C_NT_USER_NAME,
                                   ctx->mechanismUsed,
-                                 &ctx->acceptorName);
+                                 &importedName);
          if (GSS_ERROR(major))
              return major;
+       if (ctx->acceptorName) {
+           /* verify name */
+           int equal = 0;
+           OM_uint32 ignoredMinor = 0;
+           major = gss_compare_name(minor, importedName,
+                                    ctx->acceptorName, &equal);
+           gss_release_name(&ignoredMinor, &importedName);
+           if (GSS_ERROR(major))
+               return major;
+           if (!equal) {
+               *minor = GSSEAP_BAD_CONTEXT_TOKEN;
+               return GSS_S_DEFECTIVE_TOKEN;
+           }
+       } else {
+           /* accept acceptor name hint */
+           ctx->acceptorName = importedName;
+           importedName = NULL;
+       }
      }
  
+
      /*
       * Currently, other parts of the code assume that the acceptor name
       * is available, hence this check.
@@ -892,7 +911,8 @@ static struct gss_eap_sm eapGssInitiatorSm[] = {
      {
          ITOK_TYPE_ACCEPTOR_NAME_RESP,
          ITOK_TYPE_ACCEPTOR_NAME_REQ,
-        GSSEAP_STATE_INITIAL | GSSEAP_STATE_AUTHENTICATE,
+        GSSEAP_STATE_INITIAL | GSSEAP_STATE_AUTHENTICATE
+       | GSSEAP_STATE_ACCEPTOR_EXTS ,
          0,
          eapGssSmInitAcceptorName
      },
author	Sam Hartman <hartmans@debian.org>
	Tue, 11 Sep 2012 19:50:30 +0000 (15:50 -0400)
committer	Sam Hartman <hartmans@debian.org>
	Wed, 12 Sep 2012 20:31:28 +0000 (16:31 -0400)
mech_eap/accept_sec_context.c		patch \| blob \| history
mech_eap/init_sec_context.c		patch \| blob \| history