From a8f5b12ce0b0cb0fa928852dcaecf9a8012e4ef1 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Tue, 8 Mar 2011 18:11:46 +1100 Subject: [PATCH] for state transitions through gssEapSmTransition --- accept_sec_context.c | 4 ++-- gssapiP_eap.h | 38 -------------------------------------- init_sec_context.c | 6 +++--- util.h | 41 ++++++++++++++++++++++++++++++++++++++++- util_sm.c | 24 +++++++++++++++--------- 5 files changed, 60 insertions(+), 53 deletions(-) diff --git a/accept_sec_context.c b/accept_sec_context.c index 725ce69..9627e88 100644 --- a/accept_sec_context.c +++ b/accept_sec_context.c @@ -658,7 +658,7 @@ eapGssSmAcceptCompleteAcceptorExts(OM_uint32 *minor, { *minor = 0; - ctx->state = GSSEAP_STATE_ESTABLISHED; + gssEapSmTransition(ctx, GSSEAP_STATE_ESTABLISHED); *smFlags |= SM_FLAG_STOP_EVAL; return GSS_S_COMPLETE; @@ -899,7 +899,7 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor, major = acceptReadyKrb(minor, ctx, cred, krbInitiator, mech, timeRec); if (major == GSS_S_COMPLETE) { - ctx->state = GSSEAP_STATE_ESTABLISHED; + gssEapSmTransition(ctx, GSSEAP_STATE_ESTABLISHED); *smFlags |= SM_FLAG_STOP_EVAL; } } diff --git a/gssapiP_eap.h b/gssapiP_eap.h index 752311e..b7740da 100644 --- a/gssapiP_eap.h +++ b/gssapiP_eap.h @@ -140,44 +140,6 @@ struct gss_cred_id_struct #define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0) -enum gss_eap_state { - GSSEAP_STATE_INITIAL = 0x01, /* initial state */ - GSSEAP_STATE_AUTHENTICATE = 0x02, /* exchange EAP messages */ - GSSEAP_STATE_INITIATOR_EXTS = 0x04, /* initiator extensions */ - GSSEAP_STATE_ACCEPTOR_EXTS = 0x08, /* acceptor extensions */ - GSSEAP_STATE_REAUTHENTICATE = 0x10, /* GSS reauthentication messages */ - GSSEAP_STATE_ESTABLISHED = 0x20, /* context established */ - GSSEAP_STATE_ALL = 0x3F -}; - -#define GSSEAP_STATE_NEXT(s) ((s) << 1) - -/* state machine entry */ -struct gss_eap_sm { - OM_uint32 inputTokenType; - OM_uint32 outputTokenType; - enum gss_eap_state validStates; - OM_uint32 itokFlags; - OM_uint32 (*processToken)(OM_uint32 *, - gss_cred_id_t, - gss_ctx_id_t, - gss_name_t, - gss_OID, - OM_uint32, - OM_uint32, - gss_channel_bindings_t, - gss_buffer_t, - gss_buffer_t, - OM_uint32 *); -}; - -#define SM_FLAG_TRANSITION 0x00000001 /* transition to next state */ -#define SM_FLAG_FORCE_SEND_TOKEN 0x00000002 /* send token even if empty */ -#define SM_FLAG_STOP_EVAL 0x00000004 /* no more handlers for this state */ - -#define SM_ITOK_FLAG_CRITICAL 0x00000001 /* sent tokens marked critical */ -#define SM_ITOK_FLAG_REQUIRED 0x00000002 /* received tokens must be present */ - #define CTX_IS_ESTABLISHED(ctx) ((ctx)->state == GSSEAP_STATE_ESTABLISHED) /* Initiator context flags */ diff --git a/init_sec_context.c b/init_sec_context.c index fea1ea7..4c82964 100644 --- a/init_sec_context.c +++ b/init_sec_context.c @@ -483,9 +483,9 @@ eapGssSmInitGssReauth(OM_uint32 *minor, major = gssEapReauthComplete(minor, ctx, cred, actualMech, timeRec); if (GSS_ERROR(major)) goto cleanup; - ctx->state = GSSEAP_STATE_ESTABLISHED; + gssEapSmTransition(ctx, GSSEAP_STATE_ESTABLISHED); } else { - ctx->state = GSSEAP_STATE_REAUTHENTICATE; + gssEapSmTransition(ctx, GSSEAP_STATE_REAUTHENTICATE); } cleanup: @@ -740,7 +740,7 @@ eapGssSmInitCompleteAcceptorExts(OM_uint32 *minor, { *minor = 0; - ctx->state = GSSEAP_STATE_ESTABLISHED; + gssEapSmTransition(ctx, GSSEAP_STATE_ESTABLISHED); *smFlags |= SM_FLAG_STOP_EVAL; return GSS_S_COMPLETE; diff --git a/util.h b/util.h index b081cce..85123d0 100644 --- a/util.h +++ b/util.h @@ -534,7 +534,43 @@ sequenceInit(OM_uint32 *minor, void **vqueue, uint64_t seqnum, int do_replay, int do_sequence, int wide_nums); /* util_sm.c */ -struct gss_eap_sm; +enum gss_eap_state { + GSSEAP_STATE_INITIAL = 0x01, /* initial state */ + GSSEAP_STATE_AUTHENTICATE = 0x02, /* exchange EAP messages */ + GSSEAP_STATE_INITIATOR_EXTS = 0x04, /* initiator extensions */ + GSSEAP_STATE_ACCEPTOR_EXTS = 0x08, /* acceptor extensions */ + GSSEAP_STATE_REAUTHENTICATE = 0x10, /* GSS reauthentication messages */ + GSSEAP_STATE_ESTABLISHED = 0x20, /* context established */ + GSSEAP_STATE_ALL = 0x3F +}; + +#define GSSEAP_STATE_NEXT(s) ((s) << 1) + +/* state machine entry */ +struct gss_eap_sm { + OM_uint32 inputTokenType; + OM_uint32 outputTokenType; + enum gss_eap_state validStates; + OM_uint32 itokFlags; + OM_uint32 (*processToken)(OM_uint32 *, + gss_cred_id_t, + gss_ctx_id_t, + gss_name_t, + gss_OID, + OM_uint32, + OM_uint32, + gss_channel_bindings_t, + gss_buffer_t, + gss_buffer_t, + OM_uint32 *); +}; + +#define SM_FLAG_TRANSITION 0x00000001 /* transition to next state */ +#define SM_FLAG_FORCE_SEND_TOKEN 0x00000002 /* send token even if empty */ +#define SM_FLAG_STOP_EVAL 0x00000004 /* no more handlers for this state */ + +#define SM_ITOK_FLAG_CRITICAL 0x00000001 /* sent tokens marked critical */ +#define SM_ITOK_FLAG_REQUIRED 0x00000002 /* received tokens must be present */ OM_uint32 gssEapSmStep(OM_uint32 *minor, @@ -550,6 +586,9 @@ gssEapSmStep(OM_uint32 *minor, struct gss_eap_sm *sm, size_t smCount); +void +gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state); + /* util_token.c */ OM_uint32 gssEapEncodeInnerTokens(OM_uint32 *minor, diff --git a/util_sm.c b/util_sm.c index 9b18ea3..fae6528 100644 --- a/util_sm.c +++ b/util_sm.c @@ -68,6 +68,20 @@ gssEapStateToString(enum gss_eap_state state) return s; } +void +gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state) +{ + assert(state > ctx->state); + assert(state <= GSSEAP_STATE_ESTABLISHED); + +#ifdef GSSEAP_DEBUG + fprintf(stderr, "GSS-EAP: state transition %s->%s\n", + gssEapStateToString(ctx->state), gssEapStateToString(state)); +#endif + + ctx->state = state; +} + static OM_uint32 makeErrorToken(OM_uint32 *minor, OM_uint32 majorStatus, @@ -267,15 +281,7 @@ gssEapSmStep(OM_uint32 *minor, if (GSS_ERROR(major) || (smFlags & SM_FLAG_TRANSITION) == 0) break; - assert(ctx->state < GSSEAP_STATE_ESTABLISHED); - -#ifdef GSSEAP_DEBUG - fprintf(stderr, "GSS-EAP: state transition %s->%s\n", - gssEapStateToString(ctx->state), - gssEapStateToString(GSSEAP_STATE_NEXT(ctx->state))); -#endif - - ctx->state = GSSEAP_STATE_NEXT(ctx->state); + gssEapSmTransition(ctx, GSSEAP_STATE_NEXT(ctx->state)); if (innerOutputTokens->count != 0 || (smFlags & SM_FLAG_FORCE_SEND_TOKEN)) { assert(major == GSS_S_CONTINUE_NEEDED || ctx->state == GSSEAP_STATE_ESTABLISHED); -- 2.1.4