gss_cred_id_t cred,
gss_ctx_id_t ctx)
{
+ OM_uint32 major;
krb5_context krbContext;
struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
- krb5_error_code code;
- char *identity, *anonymousIdentity;
+ gss_buffer_desc identity = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc realm = GSS_C_EMPTY_BUFFER;
eapPeerConfig->identity = NULL;
eapPeerConfig->identity_len = 0;
+ eapPeerConfig->anonymous_identity = NULL;
+ eapPeerConfig->anonymous_identity_len = 0;
eapPeerConfig->password = NULL;
eapPeerConfig->password_len = 0;
return GSS_S_BAD_NAME;
}
- code = krb5_unparse_name(krbContext, cred->name->krbPrincipal, &identity);
- if (code != 0) {
- *minor = code;
+ /* identity */
+ major = gssEapDisplayName(minor, cred->name, &identity, NULL);
+ if (GSS_ERROR(major))
+ return major;
+
+ eapPeerConfig->identity = (unsigned char *)identity.value;
+ eapPeerConfig->identity_len = identity.length;
+
+ krbPrincRealmToGssBuffer(cred->name->krbPrincipal, &realm);
+
+ /* anonymous_identity */
+ eapPeerConfig->anonymous_identity = GSSEAP_MALLOC(realm.length + 2);
+ if (eapPeerConfig->anonymous_identity == NULL) {
+ *minor = ENOMEM;
return GSS_S_FAILURE;
}
- anonymousIdentity = strchr(identity, '@');
- if (anonymousIdentity == NULL)
- anonymousIdentity = "";
+ eapPeerConfig->anonymous_identity[0] = '@';
+ memcpy(eapPeerConfig->anonymous_identity + 1, realm.value, realm.length);
+ eapPeerConfig->anonymous_identity[1 + realm.length] = '\0';
+ eapPeerConfig->anonymous_identity_len = 1 + realm.length;
- eapPeerConfig->identity = (unsigned char *)identity;
- eapPeerConfig->identity_len = strlen(identity);
- eapPeerConfig->anonymous_identity = (unsigned char *)anonymousIdentity;
- eapPeerConfig->anonymous_identity_len = strlen(anonymousIdentity);
+ /* password */
eapPeerConfig->password = (unsigned char *)cred->password.value;
eapPeerConfig->password_len = cred->password.length;
peerConfigFree(OM_uint32 *minor,
gss_ctx_id_t ctx)
{
- krb5_context krbContext;
struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
- GSSEAP_KRB_INIT(&krbContext);
+ if (eapPeerConfig->identity != NULL) {
+ GSSEAP_FREE(eapPeerConfig->identity);
+ eapPeerConfig->identity = NULL;
+ eapPeerConfig->identity_len = 0;
+ }
- krb5_free_unparsed_name(krbContext, (char *)eapPeerConfig->identity);
+ if (eapPeerConfig->anonymous_identity != NULL) {
+ GSSEAP_FREE(eapPeerConfig->anonymous_identity);
+ eapPeerConfig->anonymous_identity = NULL;
+ eapPeerConfig->anonymous_identity_len = 0;
+ }
*minor = 0;
return GSS_S_COMPLETE;
GSSEAP_MUTEX_UNLOCK(&target->mutex);
}
- if (mech == GSS_C_NULL_OID) {
- major = gssEapDefaultMech(minor, &ctx->mechanismUsed);
- } else if (gssEapIsConcreteMechanismOid(mech)) {
- if (!gssEapInternalizeOid(mech, &ctx->mechanismUsed))
- major = duplicateOid(minor, mech, &ctx->mechanismUsed);
- } else {
- major = GSS_S_BAD_MECH;
- *minor = GSSEAP_WRONG_MECH;
- }
+ major = gssEapCanonicalizeOid(minor,
+ mech,
+ OID_FLAG_NULL_VALID | OID_FLAG_MAP_NULL_TO_DEFAULT_MECH,
+ &ctx->mechanismUsed);
if (GSS_ERROR(major))
return major;
major = gssInitSecContext(minor,
cred->krbCred,
- &ctx->kerberosCtx,
+ &ctx->reauthCtx,
mechTarget,
(gss_OID)gss_mech_krb5,
reqFlags | GSS_C_MUTUAL_FLAG,
ctx->acceptorName == GSS_C_NO_NAME) {
/* Accept target name hint from acceptor */
major = gssEapImportName(minor, inputToken,
- GSS_C_NT_USER_NAME, &ctx->acceptorName);
+ GSS_C_NT_USER_NAME,
+ ctx->mechanismUsed,
+ &ctx->acceptorName);
if (GSS_ERROR(major))
return major;
}
OM_uint32 tmpMinor;
/* server didn't support reauthentication, sent EAP request */
- gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
+ gssDeleteSecContext(&tmpMinor, &ctx->reauthCtx, GSS_C_NO_BUFFER);
ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
} else
{
OM_uint32 major, tmpMinor;
gss_ctx_id_t ctx = *context_handle;
+ int initialContextToken = 0;
*minor = 0;
return major;
ctx->flags |= CTX_FLAG_INITIATOR;
-
- major = initBegin(minor, cred, ctx, target_name, mech_type,
- req_flags, time_req, input_chan_bindings);
- if (GSS_ERROR(major)) {
- gssEapReleaseContext(minor, &ctx);
- return major;
- }
+ initialContextToken = 1;
*context_handle = ctx;
}
GSSEAP_MUTEX_LOCK(&cred->mutex);
-
if ((cred->flags & CRED_FLAG_INITIATE) == 0) {
major = GSS_S_NO_CRED;
*minor = GSSEAP_CRED_USAGE_MISMATCH;
goto cleanup;
}
+ if (initialContextToken) {
+ major = initBegin(minor, cred, ctx, target_name, mech_type,
+ req_flags, time_req, input_chan_bindings);
+ if (GSS_ERROR(major))
+ goto cleanup;
+ }
+
major = gssEapSmStep(minor,
cred,
ctx,
goto cleanup;
if (actual_mech_type != NULL) {
- if (!gssEapInternalizeOid(ctx->mechanismUsed, actual_mech_type))
- duplicateOid(&tmpMinor, ctx->mechanismUsed, actual_mech_type);
+ OM_uint32 tmpMajor;
+
+ tmpMajor = gssEapCanonicalizeOid(&tmpMinor, ctx->mechanismUsed, 0, actual_mech_type);
+ if (GSS_ERROR(tmpMajor)) {
+ major = tmpMajor;
+ *minor = tmpMinor;
+ goto cleanup;
+ }
}
if (ret_flags != NULL)
*ret_flags = ctx->gssFlags;
projects / moonshot.git / blobdiff