#endif
static OM_uint32
-peerConfigInit(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_ctx_id_t ctx)
+peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
{
OM_uint32 major;
krb5_context krbContext;
struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
gss_buffer_desc identity = GSS_C_EMPTY_BUFFER;
gss_buffer_desc realm = GSS_C_EMPTY_BUFFER;
+ gss_cred_id_t cred = ctx->cred;
eapPeerConfig->identity = NULL;
eapPeerConfig->identity_len = 0;
eapPeerConfig->password = (unsigned char *)cred->password.value;
eapPeerConfig->password_len = cred->password.length;
+ /* certs */
+ eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value;
+ eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value;
+ eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
+
*minor = 0;
return GSS_S_COMPLETE;
}
static OM_uint32
initBegin(OM_uint32 *minor,
- gss_cred_id_t cred,
gss_ctx_id_t ctx,
gss_name_t target,
gss_OID mech,
gss_channel_bindings_t chanBindings GSSEAP_UNUSED)
{
OM_uint32 major;
+ gss_cred_id_t cred = ctx->cred;
assert(cred != GSS_C_NO_CREDENTIAL);
static OM_uint32
eapGssSmInitAuthenticate(OM_uint32 *minor,
- gss_cred_id_t cred,
+ gss_cred_id_t cred GSSEAP_UNUSED,
gss_ctx_id_t ctx,
gss_name_t target GSSEAP_UNUSED,
gss_OID mech GSSEAP_UNUSED,
assert(inputToken != GSS_C_NO_BUFFER);
- major = peerConfigInit(minor, cred, ctx);
+ major = peerConfigInit(minor, ctx);
if (GSS_ERROR(major))
goto cleanup;
};
OM_uint32
-gss_init_sec_context(OM_uint32 *minor,
+gssEapInitSecContext(OM_uint32 *minor,
gss_cred_id_t cred,
- gss_ctx_id_t *context_handle,
+ gss_ctx_id_t ctx,
gss_name_t target_name,
gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 *time_rec)
{
OM_uint32 major, tmpMinor;
- gss_ctx_id_t ctx = *context_handle;
- int initialContextToken = 0;
-
- *minor = 0;
-
- output_token->length = 0;
- output_token->value = NULL;
+ int initialContextToken = (ctx->mechanismUsed == GSS_C_NO_OID);
- if (ctx == GSS_C_NO_CONTEXT) {
- if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
- *minor = GSSEAP_WRONG_SIZE;
- return GSS_S_DEFECTIVE_TOKEN;
- }
+ if (cred != GSS_C_NO_CREDENTIAL)
+ GSSEAP_MUTEX_LOCK(&cred->mutex);
- major = gssEapAllocContext(minor, &ctx);
+ if (ctx->cred == GSS_C_NO_CREDENTIAL) {
+ major = gssEapResolveInitiatorCred(minor, cred, target_name, &ctx->cred);
if (GSS_ERROR(major))
- return major;
-
- ctx->flags |= CTX_FLAG_INITIATOR;
- initialContextToken = 1;
+ goto cleanup;
- *context_handle = ctx;
+ assert(ctx->cred != GSS_C_NO_CREDENTIAL);
}
- GSSEAP_MUTEX_LOCK(&ctx->mutex);
-
- if (cred == GSS_C_NO_CREDENTIAL) {
- if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) {
- major = gssEapAcquireCred(minor,
- GSS_C_NO_NAME,
- GSS_C_NO_BUFFER,
- time_req,
- GSS_C_NO_OID_SET,
- GSS_C_INITIATE,
- &ctx->defaultCred,
- NULL,
- NULL);
- if (GSS_ERROR(major))
- goto cleanup;
- }
+ GSSEAP_MUTEX_LOCK(&ctx->cred->mutex);
- cred = ctx->defaultCred;
- }
-
- GSSEAP_MUTEX_LOCK(&cred->mutex);
-
- if ((cred->flags & CRED_FLAG_INITIATE) == 0) {
- major = GSS_S_NO_CRED;
- *minor = GSSEAP_CRED_USAGE_MISMATCH;
- goto cleanup;
- }
+ assert(ctx->cred->flags & CRED_FLAG_RESOLVED);
+ assert(ctx->cred->flags & CRED_FLAG_INITIATE);
if (initialContextToken) {
- major = initBegin(minor, cred, ctx, target_name, mech_type,
+ major = initBegin(minor, ctx, target_name, mech_type,
req_flags, time_req, input_chan_bindings);
if (GSS_ERROR(major))
goto cleanup;
cleanup:
if (cred != GSS_C_NO_CREDENTIAL)
GSSEAP_MUTEX_UNLOCK(&cred->mutex);
+ if (ctx->cred != GSS_C_NO_CREDENTIAL)
+ GSSEAP_MUTEX_UNLOCK(&ctx->cred->mutex);
+
+ return major;
+}
+
+OM_uint32 GSSAPI_CALLCONV
+gss_init_sec_context(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t *context_handle,
+ gss_name_t target_name,
+ gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ gss_channel_bindings_t input_chan_bindings,
+ gss_buffer_t input_token,
+ gss_OID *actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 *ret_flags,
+ OM_uint32 *time_rec)
+{
+ OM_uint32 major, tmpMinor;
+ gss_ctx_id_t ctx = *context_handle;
+
+ *minor = 0;
+
+ output_token->length = 0;
+ output_token->value = NULL;
+
+ assert(ctx == GSS_C_NO_CONTEXT || ctx->mechanismUsed != GSS_C_NO_OID);
+
+ if (ctx == GSS_C_NO_CONTEXT) {
+ if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
+ *minor = GSSEAP_WRONG_SIZE;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ major = gssEapAllocContext(minor, &ctx);
+ if (GSS_ERROR(major))
+ return major;
+
+ ctx->flags |= CTX_FLAG_INITIATOR;
+
+ *context_handle = ctx;
+ }
+
+ GSSEAP_MUTEX_LOCK(&ctx->mutex);
+
+ major = gssEapInitSecContext(minor,
+ cred,
+ ctx,
+ target_name,
+ mech_type,
+ req_flags,
+ time_req,
+ input_chan_bindings,
+ input_token,
+ actual_mech_type,
+ output_token,
+ ret_flags,
+ time_rec);
+
GSSEAP_MUTEX_UNLOCK(&ctx->mutex);
if (GSS_ERROR(major))