-- gssEapAcquireCred should validate RADIUS configuration
- integration with initiator-side EAP channel bindings
- always intern OIDs so they never need to be freed
- handle many-to-many Shibboleth attribute mappings; need to encode both attribute and value index into more
gss_ctx_id_t ctx)
{
struct gss_eap_acceptor_ctx *actx = &ctx->acceptorCtx;
- const char *configFile = RS_CONFIG_FILE;
- const char *configStanza = "gss-eap";
- struct rs_alloc_scheme ralloc;
struct rs_error *err;
+ const char *configStanza = "gss-eap";
+ OM_uint32 major;
GSSEAP_ASSERT(actx->radContext == NULL);
GSSEAP_ASSERT(actx->radConn == NULL);
+ GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
- if (rs_context_create(&actx->radContext) != 0) {
- *minor = GSSEAP_RADSEC_CONTEXT_FAILURE;
- return GSS_S_FAILURE;
- }
+ major = gssEapCreateRadiusContext(minor, cred, &actx->radContext);
+ if (GSS_ERROR(major))
+ return major;
- if (cred->radiusConfigFile.value != NULL)
- configFile = (const char *)cred->radiusConfigFile.value;
if (cred->radiusConfigStanza.value != NULL)
configStanza = (const char *)cred->radiusConfigStanza.value;
- ralloc.calloc = GSSEAP_CALLOC;
- ralloc.malloc = GSSEAP_MALLOC;
- ralloc.free = GSSEAP_FREE;
- ralloc.realloc = GSSEAP_REALLOC;
-
- rs_context_set_alloc_scheme(actx->radContext, &ralloc);
-
- if (rs_context_read_config(actx->radContext, configFile) != 0) {
- err = rs_err_ctx_pop(actx->radContext);
- goto fail;
- }
-
- if (rs_context_init_freeradius_dict(actx->radContext, NULL) != 0) {
- err = rs_err_ctx_pop(actx->radContext);
- goto fail;
- }
-
if (rs_conn_create(actx->radContext, &actx->radConn, configStanza) != 0) {
err = rs_err_conn_pop(actx->radConn);
- goto fail;
+ return gssEapRadiusMapError(minor, err);
}
if (actx->radServer != NULL) {
if (rs_conn_select_peer(actx->radConn, actx->radServer) != 0) {
err = rs_err_conn_pop(actx->radConn);
- goto fail;
+ return gssEapRadiusMapError(minor, err);
}
}
*minor = 0;
return GSS_S_COMPLETE;
-
-fail:
- return gssEapRadiusMapError(minor, err);
}
/*
GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
}
+ if (cred->flags & CRED_FLAG_ACCEPT) {
+ struct rs_context *radContext;
+
+ major = gssEapCreateRadiusContext(minor, cred, &radContext);
+ if (GSS_ERROR(major))
+ goto cleanup;
+
+ rs_context_destroy(radContext);
+ }
+
if (pActualMechs != NULL) {
major = duplicateOidSet(minor, cred->mechanisms, pActualMechs);
if (GSS_ERROR(major))
{
gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS, createAttrContext);
-#ifdef GSSEAP_ENABLE_REAUTH
- struct rs_context *radContext;
-
- /*
- * This hack is necessary in order to force the loading of the global
- * dictionary, otherwise accepting reauthentication tokens fails unless
- * the acceptor has already accepted a normal authentication token.
- */
- if (rs_context_create(&radContext) != 0)
- return false;
-
- if (rs_context_read_config(radContext, RS_CONFIG_FILE) != 0) {
- rs_context_destroy(radContext);
- return false;
- }
-
- if (rs_context_init_freeradius_dict(radContext, NULL)) {
- rs_context_destroy(radContext);
- return false;
- }
-
- rs_context_destroy(radContext);
-#endif
-
return true;
}
return GSS_S_FAILURE;
}
+
+OM_uint32
+gssEapCreateRadiusContext(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ struct rs_context **pRadContext)
+{
+ const char *configFile = RS_CONFIG_FILE;
+ struct rs_context *radContext;
+ struct rs_alloc_scheme ralloc;
+ struct rs_error *err;
+ OM_uint32 major;
+
+ *pRadContext = NULL;
+
+ if (rs_context_create(&radContext) != 0) {
+ *minor = GSSEAP_RADSEC_CONTEXT_FAILURE;
+ return GSS_S_FAILURE;
+ }
+
+ if (cred->radiusConfigFile.value != NULL)
+ configFile = (const char *)cred->radiusConfigFile.value;
+
+ ralloc.calloc = GSSEAP_CALLOC;
+ ralloc.malloc = GSSEAP_MALLOC;
+ ralloc.free = GSSEAP_FREE;
+ ralloc.realloc = GSSEAP_REALLOC;
+
+ rs_context_set_alloc_scheme(radContext, &ralloc);
+
+ if (rs_context_read_config(radContext, configFile) != 0) {
+ err = rs_err_ctx_pop(radContext);
+ goto fail;
+ }
+
+ if (rs_context_init_freeradius_dict(radContext, NULL) != 0) {
+ err = rs_err_ctx_pop(radContext);
+ goto fail;
+ }
+
+ *pRadContext = radContext;
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+
+fail:
+ major = gssEapRadiusMapError(minor, err);
+ rs_context_destroy(radContext);
+
+ return major;
+}
gssEapRadiusMapError(OM_uint32 *minor,
struct rs_error *err);
+OM_uint32
+gssEapCreateRadiusContext(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ struct rs_context **pRadContext);
+
/* This really needs to be a function call on Windows */
#define RS_CONFIG_FILE SYSCONFDIR "/radsec.conf"