Revert "Support EAP-TLS in Moonshot (requires OpenSSL)"

[mech_eap.orig] / mech_eap / init_sec_context.c

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index dc5c70f..e99b479 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -457,8 +457,10 @@ eapGssSmInitGssReauth(OM_uint32 *minor,
     gss_OID actualMech = GSS_C_NO_OID;
     OM_uint32 gssFlags, timeRec;
 
-    GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
-
+    /*
+     * Here we use the passed in credential handle because the resolved
+     * context credential does not currently have the reauth creds.
+     */
     if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) {
         if (!gssEapCanReauthP(cred, target, timeReq))
             return GSS_S_CONTINUE_NEEDED;
@@ -470,6 +472,8 @@ eapGssSmInitGssReauth(OM_uint32 *minor,
         goto cleanup;
     }
 
+    GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
+
     major = gssEapMechToGlueName(minor, target, &mechTarget);
     if (GSS_ERROR(major))
         goto cleanup;
@@ -961,6 +965,11 @@ gssEapInitSecContext(OM_uint32 *minor,
     OM_uint32 major, tmpMinor;
     int initialContextToken = (ctx->mechanismUsed == GSS_C_NO_OID);
 
+    /*
+     * XXX is acquiring the credential lock here necessary? The password is
+     * mutable but the contract could specify that this is not updated whilst
+     * a context is being initialized.
+     */
     if (cred != GSS_C_NO_CREDENTIAL)
         GSSEAP_MUTEX_LOCK(&cred->mutex);
 
@@ -1048,8 +1057,6 @@ gss_init_sec_context(OM_uint32 *minor,
     output_token->length = 0;
     output_token->value = NULL;
 
-    GSSEAP_ASSERT(ctx == GSS_C_NO_CONTEXT || ctx->mechanismUsed != GSS_C_NO_OID);
-
     if (ctx == GSS_C_NO_CONTEXT) {
         if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
             *minor = GSSEAP_WRONG_SIZE;