From 13243a4a41a08e984b36cd364d17dd35e5088da8 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 19 May 2011 17:02:25 +0200 Subject: [PATCH] send GSS flags --- moonshot/mech_eap/accept_sec_context.c | 41 ++++++++++++++++++++++++++++++++++ moonshot/mech_eap/init_sec_context.c | 31 +++++++++++++++++++++++++ moonshot/mech_eap/util.h | 3 +++ moonshot/mech_eap/util_context.c | 3 +-- 4 files changed, 76 insertions(+), 2 deletions(-) diff --git a/moonshot/mech_eap/accept_sec_context.c b/moonshot/mech_eap/accept_sec_context.c index cc8702d..fe54b11 100644 --- a/moonshot/mech_eap/accept_sec_context.c +++ b/moonshot/mech_eap/accept_sec_context.c @@ -616,6 +616,40 @@ cleanup: } static OM_uint32 +eapGssSmAcceptGssFlags(OM_uint32 *minor, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken, + gss_buffer_t outputToken GSSEAP_UNUSED, + OM_uint32 *smFlags GSSEAP_UNUSED) +{ + unsigned char *p; + OM_uint32 initiatorGssFlags; + + assert((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0); + + if (inputToken->length < 4) { + *minor = GSSEAP_TOK_TRUNC; + return GSS_S_DEFECTIVE_TOKEN; + } + + /* allow flags to grow for future expansion */ + p = (unsigned char *)inputToken->value + inputToken->length - 4; + + initiatorGssFlags = load_uint32_be(p); + initiatorGssFlags &= GSSEAP_WIRE_FLAGS_MASK; + + ctx->gssFlags |= initiatorGssFlags; + + return GSS_S_CONTINUE_NEEDED; +} + +static OM_uint32 eapGssSmAcceptGssChannelBindings(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, @@ -769,6 +803,13 @@ static struct gss_eap_sm eapGssAcceptorSm[] = { eapGssSmAcceptAuthenticate }, { + ITOK_TYPE_GSS_FLAGS, + ITOK_TYPE_NONE, + GSSEAP_STATE_INITIATOR_EXTS, + 0, + eapGssSmAcceptGssFlags + }, + { ITOK_TYPE_GSS_CHANNEL_BINDINGS, ITOK_TYPE_NONE, GSSEAP_STATE_INITIATOR_EXTS, diff --git a/moonshot/mech_eap/init_sec_context.c b/moonshot/mech_eap/init_sec_context.c index 930eb32..a8b7db0 100644 --- a/moonshot/mech_eap/init_sec_context.c +++ b/moonshot/mech_eap/init_sec_context.c @@ -715,6 +715,30 @@ cleanup: } static OM_uint32 +eapGssSmInitGssFlags(OM_uint32 *minor, + gss_cred_id_t cred GSSEAP_UNUSED, + gss_ctx_id_t ctx, + gss_name_t target GSSEAP_UNUSED, + gss_OID mech GSSEAP_UNUSED, + OM_uint32 reqFlags GSSEAP_UNUSED, + OM_uint32 timeReq GSSEAP_UNUSED, + gss_channel_bindings_t chanBindings GSSEAP_UNUSED, + gss_buffer_t inputToken GSSEAP_UNUSED, + gss_buffer_t outputToken, + OM_uint32 *smFlags GSSEAP_UNUSED) +{ + unsigned char wireFlags[4]; + gss_buffer_desc flagsBuf; + + store_uint32_be(ctx->gssFlags & GSSEAP_WIRE_FLAGS_MASK, wireFlags); + + flagsBuf.length = sizeof(wireFlags); + flagsBuf.value = wireFlags; + + return duplicateBuffer(minor, &flagsBuf, outputToken); +} + +static OM_uint32 eapGssSmInitGssChannelBindings(OM_uint32 *minor, gss_cred_id_t cred GSSEAP_UNUSED, gss_ctx_id_t ctx, @@ -866,6 +890,13 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { }, { ITOK_TYPE_NONE, + ITOK_TYPE_GSS_FLAGS, + GSSEAP_STATE_INITIATOR_EXTS, + 0, + eapGssSmInitGssFlags + }, + { + ITOK_TYPE_NONE, ITOK_TYPE_GSS_CHANNEL_BINDINGS, GSSEAP_STATE_INITIATOR_EXTS, SM_ITOK_FLAG_REQUIRED, diff --git a/moonshot/mech_eap/util.h b/moonshot/mech_eap/util.h index 4de00e3..ae2045c 100644 --- a/moonshot/mech_eap/util.h +++ b/moonshot/mech_eap/util.h @@ -177,12 +177,15 @@ enum gss_eap_token_type { #define ITOK_TYPE_REAUTH_RESP 0x00000009 /* optional */ #define ITOK_TYPE_VERSION_INFO 0x0000000A /* optional */ #define ITOK_TYPE_VENDOR_INFO 0x0000000B /* optional */ +#define ITOK_TYPE_GSS_FLAGS 0x0000000C #define ITOK_FLAG_CRITICAL 0x80000000 /* critical, wire flag */ #define ITOK_FLAG_VERIFIED 0x40000000 /* verified, API flag */ #define ITOK_TYPE_MASK (~(ITOK_FLAG_CRITICAL | ITOK_FLAG_VERIFIED)) +#define GSSEAP_WIRE_FLAGS_MASK GSS_C_MUTUAL_FLAG + OM_uint32 gssEapAllocContext(OM_uint32 *minor, gss_ctx_id_t *pCtx); OM_uint32 gssEapReleaseContext(OM_uint32 *minor, gss_ctx_id_t *pCtx); diff --git a/moonshot/mech_eap/util_context.c b/moonshot/mech_eap/util_context.c index 5a39424..e9a9308 100644 --- a/moonshot/mech_eap/util_context.c +++ b/moonshot/mech_eap/util_context.c @@ -70,8 +70,7 @@ gssEapAllocContext(OM_uint32 *minor, GSS_C_INTEG_FLAG | /* integrity */ GSS_C_CONF_FLAG | /* confidentiality */ GSS_C_SEQUENCE_FLAG | /* sequencing */ - GSS_C_REPLAY_FLAG| /* replay detection */ - GSS_C_MUTUAL_FLAG; /*xxx big hack */ + GSS_C_REPLAY_FLAG; /* replay detection */ *pCtx = ctx; -- 2.1.4