projects / mech_eap.orig / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 78d0326)
When processing error tokens at the initiator, verify minor status
authorLuke Howard <lukeh@padl.com>
Sun, 21 Nov 2010 14:19:30 +0000 (01:19 +1100)
committerLuke Howard <lukeh@padl.com>
Sun, 21 Nov 2010 14:19:30 +0000 (01:19 +1100)
code is valid wire error with new IS_WIRE_ERROR macro

accept_sec_context.c patch | blob | history
gssapiP_eap.h patch | blob | history
init_sec_context.c patch | blob | history

diff --git a/accept_sec_context.c b/accept_sec_context.c
index 260b233..7fa39ef 100644 (file)
--- a/accept_sec_context.c
+++ b/accept_sec_context.c
@@ -511,28 +511,12 @@ makeErrorToken(OM_uint32 *minor,
      * Only return error codes that the initiator could have caused,
      * to avoid information leakage.
      */
-    switch (minorStatus) {
-    case GSSEAP_WRONG_SIZE:
-    case GSSEAP_WRONG_MECH:
-    case GSSEAP_BAD_TOK_HEADER:
-    case GSSEAP_TOK_TRUNC:
-    case GSSEAP_BAD_DIRECTION:
-    case GSSEAP_WRONG_TOK_ID:
-    case GSSEAP_CRIT_EXT_UNAVAILABLE:
-    case GSSEAP_MISSING_REQUIRED_EXT:
-    case GSSEAP_KEY_UNAVAILABLE:
-    case GSSEAP_KEY_TOO_SHORT:
-    case GSSEAP_RADIUS_AUTH_FAILURE:
-    case GSSEAP_UNKNOWN_RADIUS_CODE:
-    case GSSEAP_MISSING_EAP_REQUEST:
-        break;
-    default:
-        if (IS_RADIUS_ERROR(minorStatus))
-            /* Squash RADIUS error codes */
-            minorStatus = GSSEAP_RADIUS_PROT_FAILURE;
-        else
-            /* Don't return system error codes */
-            return GSS_S_COMPLETE;
+    if (IS_RADIUS_ERROR(minorStatus)) {
+        /* Squash RADIUS error codes */
+        minorStatus = GSSEAP_RADIUS_PROT_FAILURE;
+    } else if (!IS_WIRE_ERROR(minorStatus)) {
+        /* Don't return non-wire error codes */
+        return GSS_S_COMPLETE;
     }
 
     minorStatus -= ERROR_TABLE_BASE_eapg;
diff --git a/gssapiP_eap.h b/gssapiP_eap.h
index e1f0a66..274d694 100644 (file)
--- a/gssapiP_eap.h
+++ b/gssapiP_eap.h
@@ -245,6 +245,9 @@ rfc4121Flags(gss_ctx_id_t ctx, int receiving);
 void
 gssEapSaveStatusInfo(OM_uint32 minor, const char *format, ...);
 
+#define IS_WIRE_ERROR(err)              ((err) > GSSEAP_RESERVED && \
+                                         (err) <= GSSEAP_RADIUS_PROT_FAILURE)
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/init_sec_context.c b/init_sec_context.c
index a195815..bc3f554 100644 (file)
--- a/init_sec_context.c
+++ b/init_sec_context.c
@@ -616,7 +616,7 @@ eapGssSmInitError(OM_uint32 *minor,
     major = load_uint32_be(&p[0]);
     *minor = ERROR_TABLE_BASE_eapg + load_uint32_be(&p[4]);
 
-    if (!GSS_ERROR(major)) {
+    if (!GSS_ERROR(major) || !IS_WIRE_ERROR(*minor)) {
         major = GSS_S_FAILURE;
         *minor = GSSEAP_BAD_ERROR_TOKEN;
     }
Moonshot GSS-API mechanism