X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=blobdiff_plain;f=util_cred.c;h=633011859217e9111a8e66d835688f266413a871;hp=ab24151cf3155a041cfc5677d4de8268c4c331cd;hb=ae79fdae047f980d01b2b4e84ccea52e24d8c7a0;hpb=bc5d85d5857186ac7fbb0a30b6d432a2ea2c3036

diff --git a/util_cred.c b/util_cred.c
index ab24151..6330118 100644
--- a/util_cred.c
+++ b/util_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,6 +30,10 @@
  * SUCH DAMAGE.
  */
 
+/*
+ * Utility routines for credential handles.
+ */
+
 #include "gssapiP_eap.h"
 
 OM_uint32
@@ -63,11 +67,14 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred)
 {
     OM_uint32 tmpMinor;
     gss_cred_id_t cred = *pCred;
+    krb5_context krbContext = NULL;
 
     if (cred == GSS_C_NO_CREDENTIAL) {
         return GSS_S_COMPLETE;
     }
 
+    GSSEAP_KRB_INIT(&krbContext);
+
     gssEapReleaseName(&tmpMinor, &cred->name);
 
     if (cred->password.value != NULL) {
@@ -76,7 +83,20 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred)
     }
 
     if (cred->radiusConfigFile != NULL)
-        free(cred->radiusConfigFile);
+        GSSEAP_FREE(cred->radiusConfigFile);
+    if (cred->radiusConfigStanza != NULL)
+        GSSEAP_FREE(cred->radiusConfigStanza);
+
+#ifdef GSSEAP_ENABLE_REAUTH
+    if (cred->krbCredCache != NULL) {
+        if (cred->flags & CRED_FLAG_DEFAULT_CCACHE)
+            krb5_cc_close(krbContext, cred->krbCredCache);
+        else
+            krb5_cc_destroy(krbContext, cred->krbCredCache);
+    }
+    if (cred->krbCred != GSS_C_NO_CREDENTIAL)
+        gssReleaseCred(&tmpMinor, &cred->krbCred);
+#endif
 
     GSSEAP_MUTEX_DESTROY(&cred->mutex);
     memset(cred, 0, sizeof(*cred));
@@ -91,7 +111,7 @@ OM_uint32
 gssEapAcquireCred(OM_uint32 *minor,
                   const gss_name_t desiredName,
                   const gss_buffer_t password,
-                  OM_uint32 timeReq,
+                  OM_uint32 timeReq GSSEAP_UNUSED,
                   const gss_OID_set desiredMechs,
                   int credUsage,
                   gss_cred_id_t *pCred,
@@ -120,23 +140,48 @@ gssEapAcquireCred(OM_uint32 *minor,
         break;
     default:
         major = GSS_S_FAILURE;
+        *minor = GSSEAP_BAD_USAGE;
         goto cleanup;
         break;
     }
 
     if (desiredName != GSS_C_NO_NAME) {
+        GSSEAP_MUTEX_LOCK(&desiredName->mutex);
+
         major = gssEapDuplicateName(minor, desiredName, &cred->name);
-        if (GSS_ERROR(major))
+        if (GSS_ERROR(major)) {
+            GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
             goto cleanup;
+        }
+
+        GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
     } else {
-        if (cred->flags & CRED_FLAG_INITIATE) {
-            gss_buffer_desc buf;
+        gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
+        gss_OID nameType = GSS_C_NO_OID;
+
+        if (cred->flags & CRED_FLAG_ACCEPT) {
+            char serviceName[5 + MAXHOSTNAMELEN] = "host@";
 
-            buf.value = getlogin(); /* XXX */
-            buf.length = strlen((char *)buf.value);
+            /* default host-based service is host@localhost */
+            if (gethostname(&serviceName[5], MAXHOSTNAMELEN) != 0) {
+                major = GSS_S_FAILURE;
+                *minor = GSSEAP_NO_HOSTNAME;
+                goto cleanup;
+            }
+
+            nameBuf.value = serviceName;
+            nameBuf.length = strlen((char *)nameBuf.value);
+
+            nameType = GSS_C_NT_HOSTBASED_SERVICE;
+        } else if (cred->flags & CRED_FLAG_INITIATE) {
+            nameBuf.value = getlogin(); /* XXX */
+            nameBuf.length = strlen((char *)nameBuf.value);
+
+            nameType = GSS_C_NT_USER_NAME;
+        }
 
-            major = gssEapImportName(minor, &buf,
-                                     GSS_C_NT_USER_NAME, &cred->name);
+        if (nameBuf.length != 0) {
+            major = gssEapImportName(minor, &nameBuf, nameType, &cred->name);
             if (GSS_ERROR(major))
                 goto cleanup;
         }
@@ -150,6 +195,18 @@ gssEapAcquireCred(OM_uint32 *minor,
             goto cleanup;
 
         cred->flags |= CRED_FLAG_PASSWORD;
+    } else if (cred->flags & CRED_FLAG_INITIATE) {
+        /*
+         * OK, here we need to ask the supplicant if we have creds or it
+         * will acquire them, so GS2 can know whether to prompt for a
+         * password or not.
+         */
+#if 0
+        && !gssEapCanReauthP(cred, GSS_C_NO_NAME, timeReq)
+#endif
+        major = GSS_S_CRED_UNAVAIL;
+        *minor = GSSEAP_MISSING_PASSWORD;
+        goto cleanup;
     }
 
     major = gssEapValidateMechs(minor, desiredMechs);
@@ -170,7 +227,9 @@ gssEapAcquireCred(OM_uint32 *minor,
         *timeRec = GSS_C_INDEFINITE;
 
     *pCred = cred;
+
     major = GSS_S_COMPLETE;
+    *minor = 0;
 
 cleanup:
     if (GSS_ERROR(major))
@@ -179,6 +238,10 @@ cleanup:
     return major;
 }
 
+/*
+ * Return TRUE if cred available for mechanism. Caller need no acquire
+ * lock because mechanisms list is immutable.
+ */
 int
 gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech)
 {