Fix for OpenSSH interoperability

[mech_eap.orig] / util_cred.c

diff --git a/util_cred.c b/util_cred.c
index b7b3f57..a2a01ba 100644 (file)
--- a/util_cred.c
+++ b/util_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,6 +30,10 @@
  * SUCH DAMAGE.
  */
 
+/*
+ * Utility routines for credential handles.
+ */
+
 #include "gssapiP_eap.h"
 
 OM_uint32
@@ -107,7 +111,7 @@ OM_uint32
 gssEapAcquireCred(OM_uint32 *minor,
                   const gss_name_t desiredName,
                   const gss_buffer_t password,
-                  OM_uint32 timeReq,
+                  OM_uint32 timeReq GSSEAP_UNUSED,
                   const gss_OID_set desiredMechs,
                   int credUsage,
                   gss_cred_id_t *pCred,
@@ -116,6 +120,9 @@ gssEapAcquireCred(OM_uint32 *minor,
 {
     OM_uint32 major, tmpMinor;
     gss_cred_id_t cred;
+#ifdef GSSEAP_DEBUG
+    gss_buffer_desc envPassword;
+#endif
 
     /* XXX TODO validate with changed set_cred_option API */
     *pCred = GSS_C_NO_CREDENTIAL;
@@ -124,6 +131,23 @@ gssEapAcquireCred(OM_uint32 *minor,
     if (GSS_ERROR(major))
         goto cleanup;
 
+    switch (credUsage) {
+    case GSS_C_BOTH:
+        cred->flags |= CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT;
+        break;
+    case GSS_C_INITIATE:
+        cred->flags |= CRED_FLAG_INITIATE;
+        break;
+    case GSS_C_ACCEPT:
+        cred->flags |= CRED_FLAG_ACCEPT;
+        break;
+    default:
+        major = GSS_S_FAILURE;
+        *minor = GSSEAP_BAD_USAGE;
+        goto cleanup;
+        break;
+    }
+
     if (desiredName != GSS_C_NO_NAME) {
         GSSEAP_MUTEX_LOCK(&desiredName->mutex);
 
@@ -160,7 +184,13 @@ gssEapAcquireCred(OM_uint32 *minor,
         }
 
         if (nameBuf.length != 0) {
-            major = gssEapImportName(minor, &nameBuf, nameType, &cred->name);
+            gss_OID mech = GSS_C_NO_OID;
+
+            if (cred->mechanisms != GSS_C_NO_OID_SET &&
+                cred->mechanisms->count == 1)
+                mech = &cred->mechanisms->elements[0];
+
+            major = gssEapImportName(minor, &nameBuf, nameType, mech, &cred->name);
             if (GSS_ERROR(major))
                 goto cleanup;
         }
@@ -168,13 +198,22 @@ gssEapAcquireCred(OM_uint32 *minor,
         cred->flags |= CRED_FLAG_DEFAULT_IDENTITY;
     }
 
+#ifdef GSSEAP_DEBUG
+    if (password == GSS_C_NO_BUFFER &&
+        (envPassword.value = getenv("GSSEAP_CREDS")) != NULL) {
+        envPassword.length = strlen((char *)envPassword.value);
+        major = duplicateBuffer(minor, &envPassword, &cred->password);
+        if (GSS_ERROR(major))
+            goto cleanup;
+    } else
+#endif /* GSSEAP_DEBUG */
     if (password != GSS_C_NO_BUFFER) {
         major = duplicateBuffer(minor, password, &cred->password);
         if (GSS_ERROR(major))
             goto cleanup;
 
         cred->flags |= CRED_FLAG_PASSWORD;
-    } else if (credUsage == GSS_C_INITIATE) {
+    } else if (cred->flags & CRED_FLAG_INITIATE) {
         /*
          * OK, here we need to ask the supplicant if we have creds or it
          * will acquire them, so GS2 can know whether to prompt for a
@@ -184,26 +223,10 @@ gssEapAcquireCred(OM_uint32 *minor,
         && !gssEapCanReauthP(cred, GSS_C_NO_NAME, timeReq)
 #endif
         major = GSS_S_CRED_UNAVAIL;
+        *minor = GSSEAP_MISSING_PASSWORD;
         goto cleanup;
     }
 
-    switch (credUsage) {
-    case GSS_C_BOTH:
-        cred->flags |= CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT;
-        break;
-    case GSS_C_INITIATE:
-        cred->flags |= CRED_FLAG_INITIATE;
-        break;
-    case GSS_C_ACCEPT:
-        cred->flags |= CRED_FLAG_ACCEPT;
-        break;
-    default:
-        major = GSS_S_FAILURE;
-        *minor = GSSEAP_BAD_USAGE;
-        goto cleanup;
-        break;
-    }
-
     major = gssEapValidateMechs(minor, desiredMechs);
     if (GSS_ERROR(major))
         goto cleanup;