Hang default cred off credential object

diff --git a/accept_sec_context.c b/accept_sec_context.c
index ba0f021..6b0bb6a 100644 (file)
--- a/accept_sec_context.c
+++ b/accept_sec_context.c
@@ -416,12 +416,12 @@ eapGssSmAcceptExtensionsResp(OM_uint32 *minor,
     OM_uint32 major, tmpMinor;
     gss_buffer_desc credsToken = GSS_C_EMPTY_BUFFER;
 
+#ifdef GSSEAP_ENABLE_REAUTH
     /*
      * If we're built with fast reauthentication enabled, then
      * fabricate a ticket from the initiator to ourselves.
      * Otherwise return an empty token.
      */
-#ifdef GSSEAP_ENABLE_REAUTH
     major = gssEapMakeReauthCreds(minor, ctx, cred, &credsToken);
     if (GSS_ERROR(major))
         return major;
@@ -504,7 +504,8 @@ gss_accept_sec_context(OM_uint32 *minor,
     output_token->length = 0;
     output_token->value = NULL;
 
-    if (cred != GSS_C_NO_CREDENTIAL && !(cred->flags & CRED_FLAG_ACCEPT)) {
+    if (cred != GSS_C_NO_CREDENTIAL &&
+        (cred->flags & CRED_FLAG_ACCEPT) == 0) {
         return GSS_S_NO_CRED;
     }
 

diff --git a/gssapiP_eap.h b/gssapiP_eap.h
index b46c2bc..1003845 100644 (file)
--- a/gssapiP_eap.h
+++ b/gssapiP_eap.h
@@ -129,6 +129,7 @@ enum gss_eap_state {
 #define CTX_FLAG_EAP_MASK                   0xFFFF0000
 
 struct gss_eap_initiator_ctx {
+    gss_cred_id_t defaultCred;
     unsigned int idleWhile;
 #ifndef __cplusplus
     struct eap_peer_config eapPeerConfig;

diff --git a/init_sec_context.c b/init_sec_context.c
index cdc5ddb..515f044 100644 (file)
--- a/init_sec_context.c
+++ b/init_sec_context.c
@@ -633,22 +633,6 @@ gss_init_sec_context(OM_uint32 *minor,
     output_token->length = 0;
     output_token->value = NULL;
 
-    if (cred != GSS_C_NO_CREDENTIAL) {
-        if ((cred->flags & CRED_FLAG_INITIATE) == 0) {
-            major = GSS_S_NO_CRED;
-            goto cleanup;
-        }
-    } else {
-        /* XXX TODO should we store this in the context handle? */
-        major = gssEapAcquireCred(minor, GSS_C_NO_NAME, GSS_C_NO_BUFFER,
-                                  time_req, GSS_C_NO_OID_SET, GSS_C_INITIATE,
-                                  &defaultCred, NULL, NULL);
-        if (GSS_ERROR(major))
-            goto cleanup;
-
-        cred = defaultCred;
-    }
-
     if (ctx == GSS_C_NO_CONTEXT) {
         if (input_token != GSS_C_NO_BUFFER && input_token->length != 0) {
             return GSS_S_DEFECTIVE_TOKEN;
@@ -668,6 +652,29 @@ gss_init_sec_context(OM_uint32 *minor,
         *context_handle = ctx;
     }
 
+    if (cred != GSS_C_NO_CREDENTIAL) {
+        if ((cred->flags & CRED_FLAG_INITIATE) == 0) {
+            major = GSS_S_NO_CRED;
+            goto cleanup;
+        }
+    } else {
+        if (ctx->initiatorCtx.defaultCred == GSS_C_NO_CREDENTIAL) {
+            major = gssEapAcquireCred(minor,
+                                      GSS_C_NO_NAME,
+                                      GSS_C_NO_BUFFER,
+                                      time_req,
+                                      GSS_C_NO_OID_SET,
+                                      GSS_C_INITIATE,
+                                      &defaultCred,
+                                      NULL,
+                                      NULL);
+            if (GSS_ERROR(major))
+                goto cleanup;
+        }
+
+        cred = ctx->initiatorCtx.defaultCred;
+    }
+
     GSSEAP_MUTEX_LOCK(&ctx->mutex);
 
     sm = &eapGssInitiatorSm[ctx->state];
@@ -735,7 +742,6 @@ cleanup:
         gssEapReleaseContext(&tmpMinor, context_handle);
 
     gss_release_buffer(&tmpMinor, &innerOutputToken);
-    gssEapReleaseCred(&tmpMinor, &defaultCred);
 
     return major;
 }

diff --git a/util_context.c b/util_context.c
index 37edb63..37bdb38 100644 (file)
--- a/util_context.c
+++ b/util_context.c
@@ -76,6 +76,9 @@ gssEapAllocContext(OM_uint32 *minor,
 static void
 releaseInitiatorContext(struct gss_eap_initiator_ctx *ctx)
 {
+    OM_uint32 minor;
+
+    gssEapReleaseCred(&minor, &ctx->defaultCred);
     eap_peer_sm_deinit(ctx->eap);
 }