From: Luke Howard Date: Sat, 10 Sep 2011 21:30:35 +0000 (+0100) Subject: separate {init,accept}_sec_context into gss_/gssEap pattern X-Git-Tag: tr-beta1~124 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=moonshot.git;a=commitdiff_plain;h=718b3c72ced52cc2f70abc45f2df13ee5d9a5cec separate {init,accept}_sec_context into gss_/gssEap pattern --- diff --git a/moonshot/mech_eap/accept_sec_context.c b/moonshot/mech_eap/accept_sec_context.c index afcd4d3..d010e34 100644 --- a/moonshot/mech_eap/accept_sec_context.c +++ b/moonshot/mech_eap/accept_sec_context.c @@ -858,9 +858,9 @@ static struct gss_eap_sm eapGssAcceptorSm[] = { }, }; -OM_uint32 GSSAPI_CALLCONV -gss_accept_sec_context(OM_uint32 *minor, - gss_ctx_id_t *context_handle, +OM_uint32 +gssEapAcceptSecContext(OM_uint32 *minor, + gss_ctx_id_t ctx, gss_cred_id_t cred, gss_buffer_t input_token, gss_channel_bindings_t input_chan_bindings, @@ -872,30 +872,6 @@ gss_accept_sec_context(OM_uint32 *minor, gss_cred_id_t *delegated_cred_handle) { OM_uint32 major, tmpMinor; - gss_ctx_id_t ctx = *context_handle; - - *minor = 0; - - output_token->length = 0; - output_token->value = NULL; - - if (src_name != NULL) - *src_name = GSS_C_NO_NAME; - - if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) { - *minor = GSSEAP_TOK_TRUNC; - return GSS_S_DEFECTIVE_TOKEN; - } - - if (ctx == GSS_C_NO_CONTEXT) { - major = gssEapAllocContext(minor, &ctx); - if (GSS_ERROR(major)) - return major; - - *context_handle = ctx; - } - - GSSEAP_MUTEX_LOCK(&ctx->mutex); if (cred == GSS_C_NO_CREDENTIAL) { if (ctx->cred == GSS_C_NO_CREDENTIAL) { @@ -972,10 +948,6 @@ gss_accept_sec_context(OM_uint32 *minor, cleanup: if (cred != GSS_C_NO_CREDENTIAL) GSSEAP_MUTEX_UNLOCK(&cred->mutex); - GSSEAP_MUTEX_UNLOCK(&ctx->mutex); - - if (GSS_ERROR(major)) - gssEapReleaseContext(&tmpMinor, context_handle); return major; } @@ -1061,3 +1033,62 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor, return major; } #endif /* GSSEAP_ENABLE_REAUTH */ + +OM_uint32 GSSAPI_CALLCONV +gss_accept_sec_context(OM_uint32 *minor, + gss_ctx_id_t *context_handle, + gss_cred_id_t cred, + gss_buffer_t input_token, + gss_channel_bindings_t input_chan_bindings, + gss_name_t *src_name, + gss_OID *mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + gss_cred_id_t *delegated_cred_handle) +{ + OM_uint32 major, tmpMinor; + gss_ctx_id_t ctx = *context_handle; + + *minor = 0; + + output_token->length = 0; + output_token->value = NULL; + + if (src_name != NULL) + *src_name = GSS_C_NO_NAME; + + if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) { + *minor = GSSEAP_TOK_TRUNC; + return GSS_S_DEFECTIVE_TOKEN; + } + + if (ctx == GSS_C_NO_CONTEXT) { + major = gssEapAllocContext(minor, &ctx); + if (GSS_ERROR(major)) + return major; + + *context_handle = ctx; + } + + GSSEAP_MUTEX_LOCK(&ctx->mutex); + + major = gssEapAcceptSecContext(minor, + ctx, + cred, + input_token, + input_chan_bindings, + src_name, + mech_type, + output_token, + ret_flags, + time_rec, + delegated_cred_handle); + + GSSEAP_MUTEX_UNLOCK(&ctx->mutex); + + if (GSS_ERROR(major)) + gssEapReleaseContext(&tmpMinor, context_handle); + + return major; +} diff --git a/moonshot/mech_eap/gssapiP_eap.h b/moonshot/mech_eap/gssapiP_eap.h index 8d7dc36..d62738f 100644 --- a/moonshot/mech_eap/gssapiP_eap.h +++ b/moonshot/mech_eap/gssapiP_eap.h @@ -224,6 +224,36 @@ struct gss_ctx_id_struct #define KEY_USAGE_INITIATOR_SEAL 24 #define KEY_USAGE_INITIATOR_SIGN 25 +/* accept_sec_context.c */ +OM_uint32 +gssEapAcceptSecContext(OM_uint32 *minor, + gss_ctx_id_t ctx, + gss_cred_id_t cred, + gss_buffer_t input_token, + gss_channel_bindings_t input_chan_bindings, + gss_name_t *src_name, + gss_OID *mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec, + gss_cred_id_t *delegated_cred_handle); + +/* init_sec_context.c */ +OM_uint32 +gssEapInitSecContext(OM_uint32 *minor, + gss_cred_id_t cred, + gss_ctx_id_t ctx, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec); + /* wrap_iov.c */ OM_uint32 gssEapWrapOrGetMIC(OM_uint32 *minor, diff --git a/moonshot/mech_eap/init_sec_context.c b/moonshot/mech_eap/init_sec_context.c index 23795fc..e5bc107 100644 --- a/moonshot/mech_eap/init_sec_context.c +++ b/moonshot/mech_eap/init_sec_context.c @@ -943,10 +943,10 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { } }; -OM_uint32 GSSAPI_CALLCONV -gss_init_sec_context(OM_uint32 *minor, +OM_uint32 +gssEapInitSecContext(OM_uint32 *minor, gss_cred_id_t cred, - gss_ctx_id_t *context_handle, + gss_ctx_id_t ctx, gss_name_t target_name, gss_OID mech_type, OM_uint32 req_flags, @@ -959,31 +959,7 @@ gss_init_sec_context(OM_uint32 *minor, OM_uint32 *time_rec) { OM_uint32 major, tmpMinor; - gss_ctx_id_t ctx = *context_handle; - int initialContextToken = 0; - - *minor = 0; - - output_token->length = 0; - output_token->value = NULL; - - if (ctx == GSS_C_NO_CONTEXT) { - if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { - *minor = GSSEAP_WRONG_SIZE; - return GSS_S_DEFECTIVE_TOKEN; - } - - major = gssEapAllocContext(minor, &ctx); - if (GSS_ERROR(major)) - return major; - - ctx->flags |= CTX_FLAG_INITIATOR; - initialContextToken = 1; - - *context_handle = ctx; - } - - GSSEAP_MUTEX_LOCK(&ctx->mutex); + int initialContextToken = (ctx->mechanismUsed == GSS_C_NO_OID); if (cred != GSS_C_NO_CREDENTIAL) GSSEAP_MUTEX_LOCK(&cred->mutex); @@ -1045,6 +1021,66 @@ cleanup: GSSEAP_MUTEX_UNLOCK(&cred->mutex); if (ctx->cred != GSS_C_NO_CREDENTIAL) GSSEAP_MUTEX_UNLOCK(&ctx->cred->mutex); + + return major; +} + +OM_uint32 GSSAPI_CALLCONV +gss_init_sec_context(OM_uint32 *minor, + gss_cred_id_t cred, + gss_ctx_id_t *context_handle, + gss_name_t target_name, + gss_OID mech_type, + OM_uint32 req_flags, + OM_uint32 time_req, + gss_channel_bindings_t input_chan_bindings, + gss_buffer_t input_token, + gss_OID *actual_mech_type, + gss_buffer_t output_token, + OM_uint32 *ret_flags, + OM_uint32 *time_rec) +{ + OM_uint32 major, tmpMinor; + gss_ctx_id_t ctx = *context_handle; + + *minor = 0; + + output_token->length = 0; + output_token->value = NULL; + + assert(ctx == GSS_C_NO_CONTEXT || ctx->mechanismUsed != GSS_C_NO_OID); + + if (ctx == GSS_C_NO_CONTEXT) { + if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) { + *minor = GSSEAP_WRONG_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } + + major = gssEapAllocContext(minor, &ctx); + if (GSS_ERROR(major)) + return major; + + ctx->flags |= CTX_FLAG_INITIATOR; + + *context_handle = ctx; + } + + GSSEAP_MUTEX_LOCK(&ctx->mutex); + + major = gssEapInitSecContext(minor, + cred, + ctx, + target_name, + mech_type, + req_flags, + time_req, + input_chan_bindings, + input_token, + actual_mech_type, + output_token, + ret_flags, + time_rec); + GSSEAP_MUTEX_UNLOCK(&ctx->mutex); if (GSS_ERROR(major)) diff --git a/moonshot/mech_eap/util_context.c b/moonshot/mech_eap/util_context.c index a7376d1..32ca195 100644 --- a/moonshot/mech_eap/util_context.c +++ b/moonshot/mech_eap/util_context.c @@ -58,6 +58,7 @@ gssEapAllocContext(OM_uint32 *minor, } ctx->state = GSSEAP_STATE_INITIAL; + ctx->mechanismUsed = GSS_C_NO_OID; /* * Integrity, confidentiality, sequencing and replay detection are @@ -150,6 +151,8 @@ gssEapMakeToken(OM_uint32 *minor, { unsigned char *p; + assert(ctx->mechanismUsed != GSS_C_NO_OID); + outputToken->length = tokenSize(ctx->mechanismUsed, innerToken->length); outputToken->value = GSSEAP_MALLOC(outputToken->length); if (outputToken->value == NULL) {