Add some extension feature negotiation

author Luke Howard <lukeh@padl.com>

Mon, 14 Mar 2011 11:03:19 +0000 (22:03 +1100)

committer Luke Howard <lukeh@padl.com>

Mon, 14 Mar 2011 11:03:19 +0000 (22:03 +1100)
author Luke Howard <lukeh@padl.com>
Mon, 14 Mar 2011 11:03:19 +0000 (22:03 +1100)
committer Luke Howard <lukeh@padl.com>
Mon, 14 Mar 2011 11:03:19 +0000 (22:03 +1100)
diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c

index 1bc5a88..23bfecb 100644 (file)
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -125,6 +125,49 @@ acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
  }
  
  static OM_uint32
+gssEapSupportedInitiatorExts[] = {
+};
+
+static struct gss_eap_itok_map
+gssEapAcceptorExtsFlagMap[] = {
+    { ITOK_TYPE_REAUTH_CREDS, CTX_FLAG_KRB_REAUTH_SUPPORTED },
+};
+
+static OM_uint32
+eapGssSmAcceptExts(OM_uint32 *minor,
+                   gss_cred_id_t cred,
+                   gss_ctx_id_t ctx,
+                   gss_name_t target,
+                   gss_OID mech,
+                   OM_uint32 reqFlags,
+                   OM_uint32 timeReq,
+                   gss_channel_bindings_t chanBindings,
+                   gss_buffer_t inputToken,
+                   gss_buffer_t outputToken,
+                   OM_uint32 *smFlags)
+{
+    OM_uint32 major;
+
+    major = gssEapProcessExtensions(minor, inputToken,
+                                    gssEapAcceptorExtsFlagMap,
+                                    sizeof(gssEapAcceptorExtsFlagMap) /
+                                        sizeof(gssEapAcceptorExtsFlagMap[0]),
+                                    &ctx->flags);
+    if (GSS_ERROR(major))
+        return major;
+
+    major = gssEapEncodeExtensions(minor,
+                                   gssEapSupportedInitiatorExts,
+                                   sizeof(gssEapSupportedInitiatorExts) /
+                                        sizeof(gssEapSupportedInitiatorExts[0]),
+                                   outputToken);
+    if (GSS_ERROR(major))
+        return major;
+
+    return GSS_S_CONTINUE_NEEDED;
+}
+
+static OM_uint32
  eapGssSmAcceptAcceptorName(OM_uint32 *minor,
                             gss_cred_id_t cred,
                             gss_ctx_id_t ctx,
@@ -668,13 +711,15 @@ eapGssSmAcceptReauthCreds(OM_uint32 *minor,
       * If we're built with fast reauthentication enabled, then
       * fabricate a ticket from the initiator to ourselves.
       */
-    major = gssEapMakeReauthCreds(minor, ctx, cred, outputToken);
+    if (ctx->flags & CTX_FLAG_KRB_REAUTH_SUPPORTED)
+        major = gssEapMakeReauthCreds(minor, ctx, cred, outputToken);
+    else
+        major = GSS_S_UNAVAILABLE;
+
      if (major == GSS_S_UNAVAILABLE)
          major = GSS_S_COMPLETE;
-    if (major == GSS_S_COMPLETE)
-        major = GSS_S_CONTINUE_NEEDED;
  
-    return major;
+    return GSS_ERROR(major) ? major : GSS_S_CONTINUE_NEEDED;
  }
  #endif
  
@@ -739,6 +784,13 @@ static struct gss_eap_sm eapGssAcceptorSm[] = {
          0,
          eapGssSmAcceptAcceptorName
      },
+    {
+        ITOK_TYPE_ACCEPTOR_EXTS,
+        ITOK_TYPE_INITIATOR_EXTS,
+        GSSEAP_STATE_INITIAL,
+        0,
+        eapGssSmAcceptExts,
+    },
  #ifdef GSSEAP_DEBUG
      {
          ITOK_TYPE_VENDOR_INFO,
diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h

index 493eaac..d5520d4 100644 (file)
--- a/mech_eap/gssapiP_eap.h
+++ b/mech_eap/gssapiP_eap.h
@@ -137,6 +137,7 @@ struct gss_cred_id_struct
  
  #define CTX_FLAG_INITIATOR                  0x00000001
  #define CTX_FLAG_KRB_REAUTH                 0x00000002
+#define CTX_FLAG_KRB_REAUTH_SUPPORTED       0x00000004
  
  #define CTX_IS_INITIATOR(ctx)               (((ctx)->flags & CTX_FLAG_INITIATOR) != 0)
  
diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c

index 6689fb0..06f993b 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -561,13 +561,15 @@ eapGssSmInitAcceptorName(OM_uint32 *minor,
      return GSS_S_CONTINUE_NEEDED;
  }
  
-#if 0
-/* supported inner token types beyond those mandated by specification */
  static OM_uint32
  gssEapSupportedAcceptorExts[] = {
      ITOK_TYPE_REAUTH_CREDS,
  };
  
+static struct gss_eap_itok_map
+gssEapInitiatorExtsFlagMap[] = {
+};
+
  static OM_uint32
  eapGssSmInitExts(OM_uint32 *minor,
                   gss_cred_id_t cred,
@@ -581,30 +583,27 @@ eapGssSmInitExts(OM_uint32 *minor,
                   gss_buffer_t outputToken,
                   OM_uint32 *smFlags)
  {
-    size_t i;
-    unsigned char *p;
+    OM_uint32 major;
  
      if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) {
-        outputToken->value = GSSEAP_MALLOC(sizeof(gssEapSupportedAcceptorExts));
-        if (outputToken->value == NULL) {
-            *minor = ENOMEM;
-            return GSS_S_FAILURE;
-        }
-        outputToken->length = sizeof(gssEapSupportedAcceptorExts);
-
-        for (i = 0, p = (unsigned char *)outputToken->value;
-             i < sizeof(gssEapSupportedAcceptorExts)
-                / sizeof(gssEapSupportedAcceptorExts[0]);
-            i++) {
-            store_uint32_be(gssEapSupportedAcceptorExts[i], p);
-            p += 4;
-        }
+        major = gssEapEncodeExtensions(minor,
+                                       gssEapSupportedAcceptorExts,
+                                       sizeof(gssEapSupportedAcceptorExts) /
+                                            sizeof(gssEapSupportedAcceptorExts[0]),
+                                       outputToken);
      } else if (inputToken != GSS_C_NO_BUFFER) {
+        major = gssEapProcessExtensions(minor, inputToken,
+                                        gssEapInitiatorExtsFlagMap,
+                                        sizeof(gssEapInitiatorExtsFlagMap) /
+                                            sizeof(gssEapInitiatorExtsFlagMap[0]),
+                                        &ctx->flags);
      }
  
+    if (GSS_ERROR(major))
+        return major;
+
      return GSS_S_CONTINUE_NEEDED;
  }
-#endif
  
  static OM_uint32
  eapGssSmInitIdentity(OM_uint32 *minor,
@@ -874,7 +873,6 @@ static struct gss_eap_sm eapGssInitiatorSm[] = {
          0,
          eapGssSmInitAcceptorName
      },
-#if 0
      {
          ITOK_TYPE_INITIATOR_EXTS,
          ITOK_TYPE_ACCEPTOR_EXTS,
@@ -882,7 +880,6 @@ static struct gss_eap_sm eapGssInitiatorSm[] = {
          0,
          eapGssSmInitExts
      },
-#endif
  #ifdef GSSEAP_DEBUG
      {
          ITOK_TYPE_NONE,
diff --git a/mech_eap/util.h b/mech_eap/util.h

index a41fc6f..232012f 100644 (file)
--- a/mech_eap/util.h
+++ b/mech_eap/util.h
@@ -158,6 +158,11 @@ enum gss_eap_token_type {
      TOK_TYPE_ACCEPTOR_CONTEXT        = 0x0602,  /* acceptor-sent context token */
  };
  
+struct gss_eap_itok_map {
+    OM_uint32 type;                             /* inner token type */
+    OM_uint32 flag;                             /* context flag */
+};
+
  /* inner token types and flags */
  #define ITOK_TYPE_NONE                  0x00000000
  #define ITOK_TYPE_CONTEXT_ERR           0x00000001 /* critical */
@@ -217,6 +222,19 @@ gssEapVerifyConversationMIC(OM_uint32 *minor,
                              gss_ctx_id_t ctx,
                              const gss_buffer_t convMIC);
  
+OM_uint32
+gssEapEncodeExtensions(OM_uint32 *minor,
+                       OM_uint32 *types,
+                       size_t typesCount,
+                       gss_buffer_t outputToken);
+
+OM_uint32
+gssEapProcessExtensions(OM_uint32 *minor,
+                        gss_buffer_t inputToken,
+                        struct gss_eap_itok_map *map,
+                        size_t mapCount,
+                        OM_uint32 *flags);
+
  /* util_cred.c */
  OM_uint32 gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred);
  OM_uint32 gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred);
diff --git a/mech_eap/util_context.c b/mech_eap/util_context.c

index 15c3067..ceb58f5 100644 (file)
--- a/mech_eap/util_context.c
+++ b/mech_eap/util_context.c
@@ -378,3 +378,65 @@ gssEapVerifyConversationMIC(OM_uint32 *minor,
  
      return major;
  }
+
+OM_uint32
+gssEapEncodeExtensions(OM_uint32 *minor,
+                       OM_uint32 *types,
+                       size_t typesCount,
+                       gss_buffer_t outputToken)
+{
+    size_t i;
+    unsigned char *p;
+
+    outputToken->value = GSSEAP_MALLOC(4 * typesCount);
+    if (outputToken->value == NULL) {
+        *minor = ENOMEM;
+        return GSS_S_FAILURE;
+    }
+    p = (unsigned char *)outputToken->value;
+
+    outputToken->length = 4 * typesCount;
+
+    for (i = 0; i < typesCount; i++) {
+        store_uint32_be(types[i], p);
+        p += 4;
+    }
+
+    *minor = 0;
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gssEapProcessExtensions(OM_uint32 *minor,
+                        gss_buffer_t inputToken,
+                        struct gss_eap_itok_map *map,
+                        size_t mapCount,
+                        OM_uint32 *flags)
+{
+    size_t i;
+    unsigned char *p;
+
+    if ((inputToken->length % 4) != 0) {
+        *minor = GSSEAP_TOK_TRUNC;
+        return GSS_S_DEFECTIVE_TOKEN;
+    }
+
+    p = (unsigned char *)inputToken->value;
+
+    for (i = 0; i < inputToken->length / 4; i++) {
+        OM_uint32 type = load_uint32_be(p);
+        size_t j;
+
+        for (j = 0; j < mapCount; j++) {
+            if (map->type == type) {
+                *flags |= map->flag;
+                break;
+            }
+        }
+
+        p += 4;
+    }
+
+    *minor = 0;
+    return GSS_S_COMPLETE;
+}
author	Luke Howard <lukeh@padl.com>
	Mon, 14 Mar 2011 11:03:19 +0000 (22:03 +1100)
committer	Luke Howard <lukeh@padl.com>
	Mon, 14 Mar 2011 11:03:19 +0000 (22:03 +1100)
mech_eap/accept_sec_context.c		patch \| blob \| history
mech_eap/gssapiP_eap.h		patch \| blob \| history
mech_eap/init_sec_context.c		patch \| blob \| history
mech_eap/util.h		patch \| blob \| history
mech_eap/util_context.c		patch \| blob \| history