X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=mech_eap%2Finit_sec_context.c;h=8a877fdbcb8c246e07d9c626675543304bd3be71;hb=49c65b803b43e159e38f6a16505bad54de153916;hp=46e925ea1f251a29944951d483b75c76bb1b207f;hpb=56a9ee2075289e8449941f0288ec97749b22a24b;p=mech_eap.git

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index 46e925e..8a877fd 100644
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -250,14 +250,22 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
     eapPeerConfig->anonymous_identity_len = 1 + realm.length;
 
     /* password */
-    eapPeerConfig->password = (unsigned char *)cred->password.value;
-    eapPeerConfig->password_len = cred->password.length;
+    if ((cred->flags & CRED_FLAG_CERTIFICATE) == 0) {
+        eapPeerConfig->password = (unsigned char *)cred->password.value;
+        eapPeerConfig->password_len = cred->password.length;
+    }
 
     /* certs */
     eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value;
     eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value;
     eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value;
 
+    if (cred->flags & CRED_FLAG_CERTIFICATE) {
+        eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value;
+        eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value;
+        eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value;
+    }
+
     *minor = 0;
     return GSS_S_COMPLETE;
 }
@@ -457,8 +465,10 @@ eapGssSmInitGssReauth(OM_uint32 *minor,
     gss_OID actualMech = GSS_C_NO_OID;
     OM_uint32 gssFlags, timeRec;
 
-    GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
-
+    /*
+     * Here we use the passed in credential handle because the resolved
+     * context credential does not currently have the reauth creds.
+     */
     if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) {
         if (!gssEapCanReauthP(cred, target, timeReq))
             return GSS_S_CONTINUE_NEEDED;
@@ -470,6 +480,8 @@ eapGssSmInitGssReauth(OM_uint32 *minor,
         goto cleanup;
     }
 
+    GSSEAP_ASSERT(cred != GSS_C_NO_CREDENTIAL);
+
     major = gssEapMechToGlueName(minor, target, &mechTarget);
     if (GSS_ERROR(major))
         goto cleanup;
@@ -961,6 +973,11 @@ gssEapInitSecContext(OM_uint32 *minor,
     OM_uint32 major, tmpMinor;
     int initialContextToken = (ctx->mechanismUsed == GSS_C_NO_OID);
 
+    /*
+     * XXX is acquiring the credential lock here necessary? The password is
+     * mutable but the contract could specify that this is not updated whilst
+     * a context is being initialized.
+     */
     if (cred != GSS_C_NO_CREDENTIAL)
         GSSEAP_MUTEX_LOCK(&cred->mutex);