From f8cc49e125b030bc7c81373984d12e54abc3cb11 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 22 Sep 2011 19:24:09 +1000 Subject: [PATCH] check radsec config when acquiring acceptor cred --- moonshot/mech_eap/TODO | 1 - moonshot/mech_eap/accept_sec_context.c | 39 ++++-------------- moonshot/mech_eap/util_cred.c | 10 +++++ moonshot/mech_eap/util_radius.cpp | 74 +++++++++++++++++++++++----------- moonshot/mech_eap/util_radius.h | 5 +++ 5 files changed, 73 insertions(+), 56 deletions(-) diff --git a/moonshot/mech_eap/TODO b/moonshot/mech_eap/TODO index f312904..567deed 100644 --- a/moonshot/mech_eap/TODO +++ b/moonshot/mech_eap/TODO @@ -1,4 +1,3 @@ -- gssEapAcquireCred should validate RADIUS configuration - integration with initiator-side EAP channel bindings - always intern OIDs so they never need to be freed - handle many-to-many Shibboleth attribute mappings; need to encode both attribute and value index into more diff --git a/moonshot/mech_eap/accept_sec_context.c b/moonshot/mech_eap/accept_sec_context.c index 12f6862..e503477 100644 --- a/moonshot/mech_eap/accept_sec_context.c +++ b/moonshot/mech_eap/accept_sec_context.c @@ -418,58 +418,35 @@ createRadiusHandle(OM_uint32 *minor, gss_ctx_id_t ctx) { struct gss_eap_acceptor_ctx *actx = &ctx->acceptorCtx; - const char *configFile = RS_CONFIG_FILE; - const char *configStanza = "gss-eap"; - struct rs_alloc_scheme ralloc; struct rs_error *err; + const char *configStanza = "gss-eap"; + OM_uint32 major; GSSEAP_ASSERT(actx->radContext == NULL); GSSEAP_ASSERT(actx->radConn == NULL); + GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL); - if (rs_context_create(&actx->radContext) != 0) { - *minor = GSSEAP_RADSEC_CONTEXT_FAILURE; - return GSS_S_FAILURE; - } + major = gssEapCreateRadiusContext(minor, cred, &actx->radContext); + if (GSS_ERROR(major)) + return major; - if (cred->radiusConfigFile.value != NULL) - configFile = (const char *)cred->radiusConfigFile.value; if (cred->radiusConfigStanza.value != NULL) configStanza = (const char *)cred->radiusConfigStanza.value; - ralloc.calloc = GSSEAP_CALLOC; - ralloc.malloc = GSSEAP_MALLOC; - ralloc.free = GSSEAP_FREE; - ralloc.realloc = GSSEAP_REALLOC; - - rs_context_set_alloc_scheme(actx->radContext, &ralloc); - - if (rs_context_read_config(actx->radContext, configFile) != 0) { - err = rs_err_ctx_pop(actx->radContext); - goto fail; - } - - if (rs_context_init_freeradius_dict(actx->radContext, NULL) != 0) { - err = rs_err_ctx_pop(actx->radContext); - goto fail; - } - if (rs_conn_create(actx->radContext, &actx->radConn, configStanza) != 0) { err = rs_err_conn_pop(actx->radConn); - goto fail; + return gssEapRadiusMapError(minor, err); } if (actx->radServer != NULL) { if (rs_conn_select_peer(actx->radConn, actx->radServer) != 0) { err = rs_err_conn_pop(actx->radConn); - goto fail; + return gssEapRadiusMapError(minor, err); } } *minor = 0; return GSS_S_COMPLETE; - -fail: - return gssEapRadiusMapError(minor, err); } /* diff --git a/moonshot/mech_eap/util_cred.c b/moonshot/mech_eap/util_cred.c index 37e94b0..444a1d7 100644 --- a/moonshot/mech_eap/util_cred.c +++ b/moonshot/mech_eap/util_cred.c @@ -307,6 +307,16 @@ gssEapAcquireCred(OM_uint32 *minor, GSSEAP_MUTEX_UNLOCK(&desiredName->mutex); } + if (cred->flags & CRED_FLAG_ACCEPT) { + struct rs_context *radContext; + + major = gssEapCreateRadiusContext(minor, cred, &radContext); + if (GSS_ERROR(major)) + goto cleanup; + + rs_context_destroy(radContext); + } + if (pActualMechs != NULL) { major = duplicateOidSet(minor, cred->mechanisms, pActualMechs); if (GSS_ERROR(major)) diff --git a/moonshot/mech_eap/util_radius.cpp b/moonshot/mech_eap/util_radius.cpp index a23d93d..9111e20 100644 --- a/moonshot/mech_eap/util_radius.cpp +++ b/moonshot/mech_eap/util_radius.cpp @@ -492,30 +492,6 @@ gss_eap_radius_attr_provider::init(void) { gss_eap_attr_ctx::registerProvider(ATTR_TYPE_RADIUS, createAttrContext); -#ifdef GSSEAP_ENABLE_REAUTH - struct rs_context *radContext; - - /* - * This hack is necessary in order to force the loading of the global - * dictionary, otherwise accepting reauthentication tokens fails unless - * the acceptor has already accepted a normal authentication token. - */ - if (rs_context_create(&radContext) != 0) - return false; - - if (rs_context_read_config(radContext, RS_CONFIG_FILE) != 0) { - rs_context_destroy(radContext); - return false; - } - - if (rs_context_init_freeradius_dict(radContext, NULL)) { - rs_context_destroy(radContext); - return false; - } - - rs_context_destroy(radContext); -#endif - return true; } @@ -871,3 +847,53 @@ gssEapRadiusMapError(OM_uint32 *minor, return GSS_S_FAILURE; } + +OM_uint32 +gssEapCreateRadiusContext(OM_uint32 *minor, + gss_cred_id_t cred, + struct rs_context **pRadContext) +{ + const char *configFile = RS_CONFIG_FILE; + struct rs_context *radContext; + struct rs_alloc_scheme ralloc; + struct rs_error *err; + OM_uint32 major; + + *pRadContext = NULL; + + if (rs_context_create(&radContext) != 0) { + *minor = GSSEAP_RADSEC_CONTEXT_FAILURE; + return GSS_S_FAILURE; + } + + if (cred->radiusConfigFile.value != NULL) + configFile = (const char *)cred->radiusConfigFile.value; + + ralloc.calloc = GSSEAP_CALLOC; + ralloc.malloc = GSSEAP_MALLOC; + ralloc.free = GSSEAP_FREE; + ralloc.realloc = GSSEAP_REALLOC; + + rs_context_set_alloc_scheme(radContext, &ralloc); + + if (rs_context_read_config(radContext, configFile) != 0) { + err = rs_err_ctx_pop(radContext); + goto fail; + } + + if (rs_context_init_freeradius_dict(radContext, NULL) != 0) { + err = rs_err_ctx_pop(radContext); + goto fail; + } + + *pRadContext = radContext; + + *minor = 0; + return GSS_S_COMPLETE; + +fail: + major = gssEapRadiusMapError(minor, err); + rs_context_destroy(radContext); + + return major; +} diff --git a/moonshot/mech_eap/util_radius.h b/moonshot/mech_eap/util_radius.h index d209347..481876a 100644 --- a/moonshot/mech_eap/util_radius.h +++ b/moonshot/mech_eap/util_radius.h @@ -154,6 +154,11 @@ OM_uint32 gssEapRadiusMapError(OM_uint32 *minor, struct rs_error *err); +OM_uint32 +gssEapCreateRadiusContext(OM_uint32 *minor, + gss_cred_id_t cred, + struct rs_context **pRadContext); + /* This really needs to be a function call on Windows */ #define RS_CONFIG_FILE SYSCONFDIR "/radsec.conf" -- 2.1.4