/*
- * Copyright (c) 2011, JANET(UK)
+ * Copyright (c) 2011, 2013, 2015, JANET(UK)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
return GSS_S_COMPLETE;
}
+/**
+ * Choose the correct error for an access reject packet.
+ */
+static OM_uint32
+eapGssAcceptHandleReject(
+ OM_uint32 *minor,
+ struct rs_packet *response)
+{
+ rs_avp **vps;
+ rs_const_avp *vp = NULL;
+ OM_uint32 major;
+ const char * reply_message = NULL;
+ size_t reply_length = 0;
+
+ rs_packet_avps(response, &vps);
+ major = gssEapRadiusGetRawAvp(minor, *vps,
+ PW_REPLY_MESSAGE, 0, &vp);
+ if (!GSS_ERROR(major)) {
+ reply_message = rs_avp_string_value(vp);
+ reply_length = rs_avp_length(vp);
+ }
+
+ major = gssEapRadiusGetRawAvp(minor, *vps,
+ PW_ERROR_CAUSE, 0, &vp);
+ if (!GSS_ERROR(major)) {
+ switch (rs_avp_integer_value(vp)) {
+ /* Values from http://www.iana.org/assignments/radius-types/radius-types.xhtml#radius-types-18 */
+ case 502: /*request not routable (proxy)*/
+ *minor = GSSEAP_RADIUS_UNROUTABLE;
+ break;
+ case 501: /*administratively prohibited*/
+ *minor = GSSEAP_RADIUS_ADMIN_PROHIBIT;
+ break;
+
+ default:
+ *minor = GSSEAP_RADIUS_AUTH_FAILURE;
+ break;
+ }
+ } else *minor = GSSEAP_RADIUS_AUTH_FAILURE;
+
+ if (reply_message)
+ gssEapSaveStatusInfo(*minor, "%s: %.*s", error_message(*minor),
+ reply_length, reply_message);
+ else gssEapSaveStatusInfo( *minor, "%s", error_message(*minor));
+ return GSS_S_DEFECTIVE_CREDENTIAL;
+}
/*
* Process a EAP response from the initiator.
*/
case PW_ACCESS_ACCEPT:
break;
case PW_ACCESS_REJECT:
- *minor = GSSEAP_RADIUS_AUTH_FAILURE;
- major = GSS_S_DEFECTIVE_CREDENTIAL;
+ major = eapGssAcceptHandleReject( minor, resp);
goto cleanup;
break;
default:
error_table eapg
#
-# Protocol errors that can be returned in an error token. This should match
+# Standards-track Protocol errors that can be returned in an error token. This should match
# up with makeErrorToken in accept_sec_context.c.
#
error_code GSSEAP_RESERVED, ""
error_code GSSEAP_MISSING_EAP_REQUEST, "RADIUS response is missing EAP request"
error_code GSSEAP_RADIUS_PROT_FAILURE, "Generic RADIUS failure"
+# Extension errors starting with 128 that can be returned in a
+#protocol token; again should match accept_sec_context.c
+
+error_code GSSEAP_RADIUS_UNROUTABLE, "Proxy had no route to identity
+provider realm"
+
+error_code GSSEAP_RADIUS_ADMIN_PROHIBIT, "IDP Administratively Prohibits Request"
#
# Context errors
#
minorStatus = GSSEAP_RADIUS_PROT_FAILURE;
} else if (!IS_WIRE_ERROR(minorStatus)) {
/* Don't return non-wire error codes */
- return GSS_S_COMPLETE;
+ minorStatus = 0;
}
- minorStatus -= ERROR_TABLE_BASE_eapg;
+ if (minorStatus != 0)
+ minorStatus -= ERROR_TABLE_BASE_eapg;
store_uint32_be(majorStatus, &errorData[0]);
store_uint32_be(minorStatus, &errorData[4]);
projects / mech_eap.git / commitdiff