return major;
}
-static OM_uint32
-eapGssSmAcceptCompleteInitiatorExts(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_ctx_id_t ctx,
- gss_name_t target __attribute__((__unused__)),
- gss_OID mech __attribute__((__unused__)),
- OM_uint32 reqFlags __attribute__((__unused__)),
- OM_uint32 timeReq __attribute__((__unused__)),
- gss_channel_bindings_t chanBindings __attribute__((__unused__)),
- gss_buffer_t inputToken,
- gss_buffer_t outputToken,
- OM_uint32 *smFlags)
-{
- *minor = 0;
- *smFlags |= SM_FLAG_TRANSITION | SM_FLAG_STOP_EVAL;
- return GSS_S_CONTINUE_NEEDED;
-}
-
#ifdef GSSEAP_ENABLE_REAUTH
static OM_uint32
eapGssSmAcceptReauthCreds(OM_uint32 *minor,
#endif
static OM_uint32
-eapGssSmAcceptCompleteAcceptorExts(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_ctx_id_t ctx,
- gss_name_t target __attribute__((__unused__)),
- gss_OID mech __attribute__((__unused__)),
- OM_uint32 reqFlags __attribute__((__unused__)),
- OM_uint32 timeReq __attribute__((__unused__)),
- gss_channel_bindings_t chanBindings __attribute__((__unused__)),
- gss_buffer_t inputToken,
- gss_buffer_t outputToken,
- OM_uint32 *smFlags)
+eapGssSmAcceptCompleteExts(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t ctx,
+ gss_name_t target,
+ gss_OID mech,
+ OM_uint32 reqFlags,
+ OM_uint32 timeReq,
+ gss_channel_bindings_t chanBindings,
+ gss_buffer_t inputToken,
+ gss_buffer_t outputToken,
+ OM_uint32 *smFlags)
{
*minor = 0;
*smFlags |= SM_FLAG_TRANSITION | SM_FLAG_STOP_EVAL;
- return GSS_S_COMPLETE;
+ return (ctx->state == GSSEAP_STATE_INITIATOR_EXTS) ?
+ GSS_S_CONTINUE_NEEDED : GSS_S_COMPLETE;
}
static struct gss_eap_sm eapGssAcceptorSm[] = {
ITOK_TYPE_REAUTH_REQ,
ITOK_TYPE_REAUTH_RESP,
GSSEAP_STATE_INITIAL,
- 0, /* critical */
- 0, /* required */
+ 0,
eapGssSmAcceptGssReauth,
},
#endif
ITOK_TYPE_NONE,
ITOK_TYPE_EAP_REQ,
GSSEAP_STATE_INITIAL,
- 1, /* critical */
- 1, /* required */
+ SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
eapGssSmAcceptIdentity,
},
{
ITOK_TYPE_EAP_RESP,
ITOK_TYPE_EAP_REQ,
GSSEAP_STATE_AUTHENTICATE,
- 1, /* critical */
- 1, /* required */
+ SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
eapGssSmAcceptAuthenticate
},
{
ITOK_TYPE_GSS_CHANNEL_BINDINGS,
ITOK_TYPE_NONE,
GSSEAP_STATE_INITIATOR_EXTS,
- 1, /* critical */
- 1, /* required */
+ SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
eapGssSmAcceptGssChannelBindings,
},
{
ITOK_TYPE_NONE,
ITOK_TYPE_NONE,
GSSEAP_STATE_INITIATOR_EXTS,
- 1, /* critical */
- 1, /* required */
- eapGssSmAcceptCompleteInitiatorExts,
+ 0,
+ eapGssSmAcceptCompleteExts,
},
#ifdef GSSEAP_ENABLE_REAUTH
{
ITOK_TYPE_NONE,
ITOK_TYPE_REAUTH_CREDS,
GSSEAP_STATE_ACCEPTOR_EXTS,
- 0, /* critical */
- 0, /* required */
+ 0,
eapGssSmAcceptReauthCreds,
},
#endif
ITOK_TYPE_NONE,
ITOK_TYPE_NONE,
GSSEAP_STATE_ACCEPTOR_EXTS,
- 1, /* critical */
- 1, /* required */
- eapGssSmAcceptCompleteAcceptorExts
+ 0,
+ eapGssSmAcceptCompleteExts
},
};
major = acceptReadyKrb(minor, ctx, cred,
krbInitiator, mech, timeRec);
if (major == GSS_S_COMPLETE) {
- ctx->state = GSSEAP_STATE_ACCEPTOR_EXTS;
- *smFlags |= SM_FLAG_TRANSITION | SM_FLAG_STOP_EVAL;
+ ctx->state = GSSEAP_STATE_ESTABLISHED;
+ *smFlags |= SM_FLAG_STOP_EVAL;
}
}
OM_uint32 inputTokenType;
OM_uint32 outputTokenType;
enum gss_eap_state validStates;
- int critical;
- int required;
+ OM_uint32 itokFlags;
OM_uint32 (*processToken)(OM_uint32 *,
gss_cred_id_t,
gss_ctx_id_t,
OM_uint32 *);
};
-#define SM_FLAG_TRANSITION 0x00000001
-#define SM_FLAG_FORCE_SEND_TOKEN 0x00000002
-#define SM_FLAG_STOP_EVAL 0x00000004
+#define SM_FLAG_TRANSITION 0x00000001 /* transition to next state */
+#define SM_FLAG_FORCE_SEND_TOKEN 0x00000002 /* send token even if empty */
+#define SM_FLAG_STOP_EVAL 0x00000004 /* no more handlers for this state */
+
+#define SM_ITOK_FLAG_CRITICAL 0x00000001 /* sent tokens marked critical */
+#define SM_ITOK_FLAG_REQUIRED 0x00000002 /* received tokens must be present */
#define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == GSSEAP_STATE_ESTABLISHED)
ctx->gssFlags = gssFlags;
+ *smFlags |= SM_FLAG_STOP_EVAL;
+
if (major == GSS_S_COMPLETE) {
major = gssEapReauthComplete(minor, ctx, cred, actualMech, timeRec);
if (GSS_ERROR(major))
goto cleanup;
- ctx->state = GSSEAP_STATE_ACCEPTOR_EXTS;
+ ctx->state = GSSEAP_STATE_ESTABLISHED;
+ } else {
+ *smFlags |= SM_FLAG_TRANSITION;
}
- *smFlags |= SM_FLAG_TRANSITION | SM_FLAG_STOP_EVAL;
-
cleanup:
gssReleaseName(&tmpMinor, &mechTarget);
#endif /* GSSEAP_ENABLE_REAUTH */
static OM_uint32
-eapGssSmInitCompleteAcceptorExts(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_ctx_id_t ctx,
- gss_name_t target,
- gss_OID mech,
- OM_uint32 reqFlags,
- OM_uint32 timeReq,
- gss_channel_bindings_t chanBindings,
- gss_buffer_t inputToken,
- gss_buffer_t outputToken,
- OM_uint32 *smFlags)
+eapGssSmInitCompleteExts(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t ctx,
+ gss_name_t target,
+ gss_OID mech,
+ OM_uint32 reqFlags,
+ OM_uint32 timeReq,
+ gss_channel_bindings_t chanBindings,
+ gss_buffer_t inputToken,
+ gss_buffer_t outputToken,
+ OM_uint32 *smFlags)
{
*minor = 0;
*smFlags |= SM_FLAG_TRANSITION | SM_FLAG_STOP_EVAL;
- return GSS_S_COMPLETE;
+ return (ctx->state == GSSEAP_STATE_INITIATOR_EXTS) ?
+ GSS_S_CONTINUE_NEEDED : GSS_S_COMPLETE;
}
-static OM_uint32
-eapGssSmInitCompleteInitiatorExts(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_ctx_id_t ctx,
- gss_name_t target,
- gss_OID mech,
- OM_uint32 reqFlags,
- OM_uint32 timeReq,
- gss_channel_bindings_t chanBindings,
- gss_buffer_t inputToken,
- gss_buffer_t outputToken,
- OM_uint32 *smFlags)
-{
- *minor = 0;
- *smFlags |= SM_FLAG_TRANSITION | SM_FLAG_STOP_EVAL;
- return GSS_S_CONTINUE_NEEDED;
-}
static struct gss_eap_sm eapGssInitiatorSm[] = {
{
ITOK_TYPE_CONTEXT_ERR,
ITOK_TYPE_NONE,
GSSEAP_STATE_ALL & ~(GSSEAP_STATE_INITIAL),
- 1, /* critical */
- 0, /* required */
+ SM_ITOK_FLAG_CRITICAL,
eapGssSmInitError,
},
#ifdef GSSEAP_ENABLE_REAUTH
ITOK_TYPE_REAUTH_RESP,
ITOK_TYPE_REAUTH_REQ,
GSSEAP_STATE_INITIAL | GSSEAP_STATE_AUTHENTICATE,
- 0, /* critical */
- 0, /* required */
+ 0,
eapGssSmInitGssReauth,
},
#endif
-#if 0
+#ifdef GSSEAP_DEBUG
{
ITOK_TYPE_NONE,
ITOK_TYPE_VENDOR_INFO,
GSSEAP_STATE_INITIAL,
- 0, /* critical */
- 0, /* required */
+ 0,
eapGssSmInitVendorInfo,
},
#endif
ITOK_TYPE_NONE,
ITOK_TYPE_NONE,
GSSEAP_STATE_INITIAL,
- 1, /* critical */
- 1, /* required */
+ SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
eapGssSmInitIdentity,
},
{
ITOK_TYPE_EAP_REQ,
ITOK_TYPE_EAP_RESP,
GSSEAP_STATE_AUTHENTICATE,
- 1, /* critical */
- 1, /* required */
+ SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
eapGssSmInitAuthenticate,
},
{
ITOK_TYPE_NONE,
ITOK_TYPE_GSS_CHANNEL_BINDINGS,
GSSEAP_STATE_INITIATOR_EXTS,
- 1, /* critical */
- 1, /* required */
+ SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
eapGssSmInitGssChannelBindings,
},
{
ITOK_TYPE_NONE,
ITOK_TYPE_NONE,
GSSEAP_STATE_INITIATOR_EXTS,
- 1, /* critical */
- 1, /* required */
- eapGssSmInitCompleteInitiatorExts
+ 0,
+ eapGssSmInitCompleteExts
},
#ifdef GSSEAP_ENABLE_REAUTH
{
ITOK_TYPE_REAUTH_CREDS,
ITOK_TYPE_NONE,
GSSEAP_STATE_ACCEPTOR_EXTS,
- 0, /* critical */
- 0, /* required */
+ 0,
eapGssSmInitReauthCreds,
},
#endif
ITOK_TYPE_NONE,
ITOK_TYPE_NONE,
GSSEAP_STATE_ACCEPTOR_EXTS,
- 1, /* critical */
- 1, /* required */
- eapGssSmInitCompleteAcceptorExts
+ 0,
+ eapGssSmInitCompleteExts
}
};
innerOutputTokens->elements[innerOutputTokens->count] = innerOutputToken;
assert(smp->outputTokenType != ITOK_TYPE_NONE);
outputTokenTypes[innerOutputTokens->count] = smp->outputTokenType;
- if (smp->critical)
+ if (smp->itokFlags & SM_ITOK_FLAG_CRITICAL)
outputTokenTypes[innerOutputTokens->count] |= ITOK_FLAG_CRITICAL;
innerOutputTokens->count++;
}
if (smFlags & SM_FLAG_STOP_EVAL)
break;
- } else if (smp->required && smp->inputTokenType != ITOK_TYPE_NONE) {
+ } else if ((smp->itokFlags & SM_ITOK_FLAG_REQUIRED) &&
+ smp->inputTokenType != ITOK_TYPE_NONE) {
major = GSS_S_DEFECTIVE_TOKEN;
*minor = GSSEAP_MISSING_REQUIRED_ITOK;
break;