From: Sam Hartman <hartmans@debian.org>
Date: Tue, 11 Sep 2012 19:50:30 +0000 (-0400)
Subject: Send acceptor name and verify
X-Git-Tag: 0.9.2~74
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=commitdiff_plain;h=69e47a08c6fde7dd82fe821bc4e0c47278300a4b

Send acceptor name and verify

In extensions state, send the acceptor name.
When the acceptor name is sent, verify if we already have a name hint.
---

diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c
index cd51e70..ded1ec8 100644
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -851,6 +851,13 @@ static struct gss_eap_sm eapGssAcceptorSm[] = {
 #endif
     {
         ITOK_TYPE_NONE,
+        ITOK_TYPE_ACCEPTOR_NAME_RESP,
+        GSSEAP_STATE_ACCEPTOR_EXTS,
+        0,
+        eapGssSmAcceptAcceptorName
+    },
+    {
+        ITOK_TYPE_NONE,
         ITOK_TYPE_ACCEPTOR_MIC,
         GSSEAP_STATE_ACCEPTOR_EXTS,
         0,
diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index a123626..fa4d832 100644
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -561,17 +561,36 @@ eapGssSmInitAcceptorName(OM_uint32 *minor,
                                   outputToken, NULL);
         if (GSS_ERROR(major))
             return major;
-    } else if (inputToken != GSS_C_NO_BUFFER &&
-               ctx->acceptorName == GSS_C_NO_NAME) {
-        /* Accept target name hint from acceptor */
+    } else if (inputToken != GSS_C_NO_BUFFER) {
+        /* Accept target name hint from acceptor or verify acceptor*/
+	gss_name_t importedName;
         major = gssEapImportName(minor, inputToken,
                                  GSS_C_NT_USER_NAME,
                                  ctx->mechanismUsed,
-                                 &ctx->acceptorName);
+                                 &importedName);
         if (GSS_ERROR(major))
             return major;
+	if (ctx->acceptorName) {
+	    /* verify name */
+	    int equal = 0;
+	    OM_uint32 ignoredMinor = 0;
+	    major = gss_compare_name(minor, importedName,
+				     ctx->acceptorName, &equal);
+	    gss_release_name(&ignoredMinor, &importedName);
+	    if (GSS_ERROR(major))
+		return major;
+	    if (!equal) {
+		*minor = GSSEAP_BAD_CONTEXT_TOKEN;
+		return GSS_S_DEFECTIVE_TOKEN;
+	    }
+	} else {
+	    /* accept acceptor name hint */
+	    ctx->acceptorName = importedName;
+	    importedName = NULL;
+	}
     }
 
+
     /*
      * Currently, other parts of the code assume that the acceptor name
      * is available, hence this check.
@@ -892,7 +911,8 @@ static struct gss_eap_sm eapGssInitiatorSm[] = {
     {
         ITOK_TYPE_ACCEPTOR_NAME_RESP,
         ITOK_TYPE_ACCEPTOR_NAME_REQ,
-        GSSEAP_STATE_INITIAL | GSSEAP_STATE_AUTHENTICATE,
+        GSSEAP_STATE_INITIAL | GSSEAP_STATE_AUTHENTICATE
+	| GSSEAP_STATE_ACCEPTOR_EXTS ,
         0,
         eapGssSmInitAcceptorName
     },