}
static OM_uint32
+gssEapSupportedInitiatorExts[] = {
+};
+
+static struct gss_eap_itok_map
+gssEapAcceptorExtsFlagMap[] = {
+ { ITOK_TYPE_REAUTH_CREDS, CTX_FLAG_KRB_REAUTH_SUPPORTED },
+};
+
+static OM_uint32
+eapGssSmAcceptExts(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t ctx,
+ gss_name_t target,
+ gss_OID mech,
+ OM_uint32 reqFlags,
+ OM_uint32 timeReq,
+ gss_channel_bindings_t chanBindings,
+ gss_buffer_t inputToken,
+ gss_buffer_t outputToken,
+ OM_uint32 *smFlags)
+{
+ OM_uint32 major;
+
+ major = gssEapProcessExtensions(minor, inputToken,
+ gssEapAcceptorExtsFlagMap,
+ sizeof(gssEapAcceptorExtsFlagMap) /
+ sizeof(gssEapAcceptorExtsFlagMap[0]),
+ &ctx->flags);
+ if (GSS_ERROR(major))
+ return major;
+
+ major = gssEapEncodeExtensions(minor,
+ gssEapSupportedInitiatorExts,
+ sizeof(gssEapSupportedInitiatorExts) /
+ sizeof(gssEapSupportedInitiatorExts[0]),
+ outputToken);
+ if (GSS_ERROR(major))
+ return major;
+
+ return GSS_S_CONTINUE_NEEDED;
+}
+
+static OM_uint32
eapGssSmAcceptAcceptorName(OM_uint32 *minor,
gss_cred_id_t cred,
gss_ctx_id_t ctx,
* If we're built with fast reauthentication enabled, then
* fabricate a ticket from the initiator to ourselves.
*/
- major = gssEapMakeReauthCreds(minor, ctx, cred, outputToken);
+ if (ctx->flags & CTX_FLAG_KRB_REAUTH_SUPPORTED)
+ major = gssEapMakeReauthCreds(minor, ctx, cred, outputToken);
+ else
+ major = GSS_S_UNAVAILABLE;
+
if (major == GSS_S_UNAVAILABLE)
major = GSS_S_COMPLETE;
- if (major == GSS_S_COMPLETE)
- major = GSS_S_CONTINUE_NEEDED;
- return major;
+ return GSS_ERROR(major) ? major : GSS_S_CONTINUE_NEEDED;
}
#endif
0,
eapGssSmAcceptAcceptorName
},
+ {
+ ITOK_TYPE_ACCEPTOR_EXTS,
+ ITOK_TYPE_INITIATOR_EXTS,
+ GSSEAP_STATE_INITIAL,
+ 0,
+ eapGssSmAcceptExts,
+ },
#ifdef GSSEAP_DEBUG
{
ITOK_TYPE_VENDOR_INFO,
#define CTX_FLAG_INITIATOR 0x00000001
#define CTX_FLAG_KRB_REAUTH 0x00000002
+#define CTX_FLAG_KRB_REAUTH_SUPPORTED 0x00000004
#define CTX_IS_INITIATOR(ctx) (((ctx)->flags & CTX_FLAG_INITIATOR) != 0)
return GSS_S_CONTINUE_NEEDED;
}
-#if 0
-/* supported inner token types beyond those mandated by specification */
static OM_uint32
gssEapSupportedAcceptorExts[] = {
ITOK_TYPE_REAUTH_CREDS,
};
+static struct gss_eap_itok_map
+gssEapInitiatorExtsFlagMap[] = {
+};
+
static OM_uint32
eapGssSmInitExts(OM_uint32 *minor,
gss_cred_id_t cred,
gss_buffer_t outputToken,
OM_uint32 *smFlags)
{
- size_t i;
- unsigned char *p;
+ OM_uint32 major;
if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) {
- outputToken->value = GSSEAP_MALLOC(sizeof(gssEapSupportedAcceptorExts));
- if (outputToken->value == NULL) {
- *minor = ENOMEM;
- return GSS_S_FAILURE;
- }
- outputToken->length = sizeof(gssEapSupportedAcceptorExts);
-
- for (i = 0, p = (unsigned char *)outputToken->value;
- i < sizeof(gssEapSupportedAcceptorExts)
- / sizeof(gssEapSupportedAcceptorExts[0]);
- i++) {
- store_uint32_be(gssEapSupportedAcceptorExts[i], p);
- p += 4;
- }
+ major = gssEapEncodeExtensions(minor,
+ gssEapSupportedAcceptorExts,
+ sizeof(gssEapSupportedAcceptorExts) /
+ sizeof(gssEapSupportedAcceptorExts[0]),
+ outputToken);
} else if (inputToken != GSS_C_NO_BUFFER) {
+ major = gssEapProcessExtensions(minor, inputToken,
+ gssEapInitiatorExtsFlagMap,
+ sizeof(gssEapInitiatorExtsFlagMap) /
+ sizeof(gssEapInitiatorExtsFlagMap[0]),
+ &ctx->flags);
}
+ if (GSS_ERROR(major))
+ return major;
+
return GSS_S_CONTINUE_NEEDED;
}
-#endif
static OM_uint32
eapGssSmInitIdentity(OM_uint32 *minor,
0,
eapGssSmInitAcceptorName
},
-#if 0
{
ITOK_TYPE_INITIATOR_EXTS,
ITOK_TYPE_ACCEPTOR_EXTS,
0,
eapGssSmInitExts
},
-#endif
#ifdef GSSEAP_DEBUG
{
ITOK_TYPE_NONE,
TOK_TYPE_ACCEPTOR_CONTEXT = 0x0602, /* acceptor-sent context token */
};
+struct gss_eap_itok_map {
+ OM_uint32 type; /* inner token type */
+ OM_uint32 flag; /* context flag */
+};
+
/* inner token types and flags */
#define ITOK_TYPE_NONE 0x00000000
#define ITOK_TYPE_CONTEXT_ERR 0x00000001 /* critical */
gss_ctx_id_t ctx,
const gss_buffer_t convMIC);
+OM_uint32
+gssEapEncodeExtensions(OM_uint32 *minor,
+ OM_uint32 *types,
+ size_t typesCount,
+ gss_buffer_t outputToken);
+
+OM_uint32
+gssEapProcessExtensions(OM_uint32 *minor,
+ gss_buffer_t inputToken,
+ struct gss_eap_itok_map *map,
+ size_t mapCount,
+ OM_uint32 *flags);
+
/* util_cred.c */
OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
return major;
}
+
+OM_uint32
+gssEapEncodeExtensions(OM_uint32 *minor,
+ OM_uint32 *types,
+ size_t typesCount,
+ gss_buffer_t outputToken)
+{
+ size_t i;
+ unsigned char *p;
+
+ outputToken->value = GSSEAP_MALLOC(4 * typesCount);
+ if (outputToken->value == NULL) {
+ *minor = ENOMEM;
+ return GSS_S_FAILURE;
+ }
+ p = (unsigned char *)outputToken->value;
+
+ outputToken->length = 4 * typesCount;
+
+ for (i = 0; i < typesCount; i++) {
+ store_uint32_be(types[i], p);
+ p += 4;
+ }
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gssEapProcessExtensions(OM_uint32 *minor,
+ gss_buffer_t inputToken,
+ struct gss_eap_itok_map *map,
+ size_t mapCount,
+ OM_uint32 *flags)
+{
+ size_t i;
+ unsigned char *p;
+
+ if ((inputToken->length % 4) != 0) {
+ *minor = GSSEAP_TOK_TRUNC;
+ return GSS_S_DEFECTIVE_TOKEN;
+ }
+
+ p = (unsigned char *)inputToken->value;
+
+ for (i = 0; i < inputToken->length / 4; i++) {
+ OM_uint32 type = load_uint32_be(p);
+ size_t j;
+
+ for (j = 0; j < mapCount; j++) {
+ if (map->type == type) {
+ *flags |= map->flag;
+ break;
+ }
+ }
+
+ p += 4;
+ }
+
+ *minor = 0;
+ return GSS_S_COMPLETE;
+}