Better error reporting through com_err

[mech_eap.git] / util_cred.c

diff --git a/util_cred.c b/util_cred.c
index 3893ff6..58700c7 100644 (file)
--- a/util_cred.c
+++ b/util_cred.c
@@ -80,10 +80,16 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred)
 
     if (cred->radiusConfigFile != NULL)
         GSSEAP_FREE(cred->radiusConfigFile);
+    if (cred->radiusConfigStanza != NULL)
+        GSSEAP_FREE(cred->radiusConfigStanza);
 
 #ifdef GSSEAP_ENABLE_REAUTH
-    if (cred->krbCredCache != NULL)
-        krb5_cc_destroy(krbContext, cred->krbCredCache);
+    if (cred->krbCredCache != NULL) {
+        if (cred->flags & CRED_FLAG_DEFAULT_CCACHE)
+            krb5_cc_close(krbContext, cred->krbCredCache);
+        else
+            krb5_cc_destroy(krbContext, cred->krbCredCache);
+    }
     if (cred->krbCred != GSS_C_NO_CREDENTIAL)
         gssReleaseCred(&tmpMinor, &cred->krbCred);
 #endif
@@ -118,26 +124,16 @@ gssEapAcquireCred(OM_uint32 *minor,
     if (GSS_ERROR(major))
         goto cleanup;
 
-    switch (credUsage) {
-    case GSS_C_BOTH:
-        cred->flags |= CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT;
-        break;
-    case GSS_C_INITIATE:
-        cred->flags |= CRED_FLAG_INITIATE;
-        break;
-    case GSS_C_ACCEPT:
-        cred->flags |= CRED_FLAG_ACCEPT;
-        break;
-    default:
-        major = GSS_S_FAILURE;
-        goto cleanup;
-        break;
-    }
-
     if (desiredName != GSS_C_NO_NAME) {
+        GSSEAP_MUTEX_LOCK(&desiredName->mutex);
+
         major = gssEapDuplicateName(minor, desiredName, &cred->name);
-        if (GSS_ERROR(major))
+        if (GSS_ERROR(major)) {
+            GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
             goto cleanup;
+        }
+
+        GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
     } else {
         if (cred->flags & CRED_FLAG_INITIATE) {
             gss_buffer_desc buf;
@@ -160,6 +156,34 @@ gssEapAcquireCred(OM_uint32 *minor,
             goto cleanup;
 
         cred->flags |= CRED_FLAG_PASSWORD;
+    } else if (credUsage == GSS_C_INITIATE) {
+        /*
+         * OK, here we need to ask the supplicant if we have creds or it
+         * will acquire them, so GS2 can know whether to prompt for a
+         * password or not.
+         */
+#if 0
+        && !gssEapCanReauthP(cred, GSS_C_NO_NAME, timeReq)
+#endif
+        major = GSS_S_CRED_UNAVAIL;
+        goto cleanup;
+    }
+
+    switch (credUsage) {
+    case GSS_C_BOTH:
+        cred->flags |= CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT;
+        break;
+    case GSS_C_INITIATE:
+        cred->flags |= CRED_FLAG_INITIATE;
+        break;
+    case GSS_C_ACCEPT:
+        cred->flags |= CRED_FLAG_ACCEPT;
+        break;
+    default:
+        *minor = GSSEAP_BAD_USAGE;
+        major = GSS_S_FAILURE;
+        goto cleanup;
+        break;
     }
 
     major = gssEapValidateMechs(minor, desiredMechs);
@@ -189,6 +213,10 @@ cleanup:
     return major;
 }
 
+/*
+ * Return TRUE if cred available for mechanism. Caller need no acquire
+ * lock because mechanisms list is immutable.
+ */
 int
 gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech)
 {