}
static const struct wpa_config_blob *
-peerGetConfigBlob(void *ctx GSSEAP_UNUSED,
- const char *name GSSEAP_UNUSED)
+peerGetConfigBlob(void *ctx,
+ const char *name)
{
- return NULL;
+ gss_ctx_id_t gssCtx = (gss_ctx_id_t)ctx;
+ size_t index;
+
+ if (strcmp(name, "client-cert") == 0)
+ index = CONFIG_BLOB_CLIENT_CERT;
+ else if (strcmp(name, "private-key") == 0)
+ index = CONFIG_BLOB_PRIVATE_KEY;
+ else
+ return NULL;
+
+ return &gssCtx->initiatorCtx.configBlobs[index];
}
static void
OM_uint32 major;
krb5_context krbContext;
struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
+ struct wpa_config_blob *configBlobs = ctx->initiatorCtx.configBlobs;
gss_buffer_desc identity = GSS_C_EMPTY_BUFFER;
gss_buffer_desc realm = GSS_C_EMPTY_BUFFER;
gss_cred_id_t cred = ctx->cred;
eapPeerConfig->anonymous_identity_len = 1 + realm.length;
/* password */
- eapPeerConfig->password = (unsigned char *)cred->password.value;
- eapPeerConfig->password_len = cred->password.length;
+ if ((cred->flags & CRED_FLAG_CERTIFICATE) == 0) {
+ eapPeerConfig->password = (unsigned char *)cred->password.value;
+ eapPeerConfig->password_len = cred->password.length;
+ }
/* certs */
eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value;
eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value;
eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
+ if (cred->flags & CRED_FLAG_CERTIFICATE) {
+ /*
+ * CRED_FLAG_CONFIG_BLOB is an internal flag which will be used in the
+ * future to directly pass certificate and private key data to the
+ * EAP implementation, rather than an indirected string pointer.
+ */
+ if (cred->flags & CRED_FLAG_CONFIG_BLOB) {
+ eapPeerConfig->client_cert = (unsigned char *)"blob://client-cert";
+ configBlobs[CONFIG_BLOB_CLIENT_CERT].data = cred->clientCertificate.value;
+ configBlobs[CONFIG_BLOB_CLIENT_CERT].len = cred->clientCertificate.length;
+
+ eapPeerConfig->client_cert = (unsigned char *)"blob://private-key";
+ configBlobs[CONFIG_BLOB_PRIVATE_KEY].data = cred->clientCertificate.value;
+ configBlobs[CONFIG_BLOB_PRIVATE_KEY].len = cred->privateKey.length;
+ } else {
+ eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value;
+ eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value;
+ }
+ eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value;
+ }
+
*minor = 0;
return GSS_S_COMPLETE;
}
gss_OID actualMech = GSS_C_NO_OID;
OM_uint32 gssFlags, timeRec;
- GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
-
+ /*
+ * Here we use the passed in credential handle because the resolved
+ * context credential does not currently have the reauth creds.
+ */
if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) {
if (!gssEapCanReauthP(cred, target, timeReq))
return GSS_S_CONTINUE_NEEDED;
goto cleanup;
}
+ GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
+
major = gssEapMechToGlueName(minor, target, &mechTarget);
if (GSS_ERROR(major))
goto cleanup;
OM_uint32 major, tmpMinor;
int initialContextToken = (ctx->mechanismUsed == GSS_C_NO_OID);
+ /*
+ * XXX is acquiring the credential lock here necessary? The password is
+ * mutable but the contract could specify that this is not updated whilst
+ * a context is being initialized.
+ */
if (cred != GSS_C_NO_CREDENTIAL)
GSSEAP_MUTEX_LOCK(&cred->mutex);
projects / moonshot.git / blobdiff