From: Pete Fotheringham Date: Wed, 30 Nov 2011 18:33:33 +0000 (+0000) Subject: Merge branch 'master' of http://www.project-moonshot.org/git/moonshot X-Git-Tag: 0.9.2~92 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.git;a=commitdiff_plain;h=aed886ea46a63d804c292e7d6729ec3fffa56e76;hp=46b02b87ff6395ff4e9f133e67445864e62a80d1 Merge branch 'master' of project-moonshot.org/git/moonshot Conflicts: moonshot/mech_eap/Makefile.am --- diff --git a/acinclude.m4 b/acinclude.m4 index 9da57ed..6f43261 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -118,7 +118,7 @@ else -DEAP_SERVER_GPSK \ -DEAP_SERVER_GPSK_SHA256 \ -DIEEE8021X_EAPOL"; - EAP_LIBS="-leap -lutils -lcrypto -ltls -lssl"; + EAP_LIBS="-leap -lutils -lcrypto -ltls"; EAP_LDFLAGS="-L$eapdir/eap_example -L$eapdir/src/utils -L$eapdir/src/crypto -L$eapdir/src/tls"; AC_SUBST(EAP_CFLAGS) AC_SUBST(EAP_LDFLAGS) @@ -252,44 +252,6 @@ fi fi ])dnl -AC_DEFUN([AX_CHECK_OPENSSL], -[AC_MSG_CHECKING(for OpenSSL) -OPENSSL_DIR= -found_openssl="no" -AC_ARG_WITH(openssl, - AC_HELP_STRING([--with-openssl], - [Use OpenSSL (in specified installation directory)]), - [check_openssl_dir="$withval"], - [check_openssl_dir=]) -for dir in $check_openssl_dir $prefix /usr /usr/local ; do - openssldir="$dir" - if test -f "$dir/include/openssl/opensslv.h"; then - found_openssl="yes"; - OPENSSL_DIR="${openssldir}" - OPENSSL_CFLAGS="-I$openssldir/include"; - break; - fi -done -AC_MSG_RESULT($found_openssl) -if test x_$found_openssl != x_yes; then - AC_MSG_ERROR([ ----------------------------------------------------------------------- - Cannot find OpenSSL libraries. - - Please install libssl or specify installation directory with - --with-openssl=(dir). ----------------------------------------------------------------------- -]) -else - printf "OpenSSL found in $openssldir\n"; - OPENSSL_LIBS="-lssl -lcrypto"; - OPENSSL_LDFLAGS="-L$openssldir/lib"; - AC_SUBST(OPENSSL_CFLAGS) - AC_SUBST(OPENSSL_LDFLAGS) - AC_SUBST(OPENSSL_LIBS) -fi -])dnl - AC_DEFUN([AX_CHECK_RADSEC], [AC_MSG_CHECKING(for radsec) RADSEC_DIR= diff --git a/configure.ac b/configure.ac index 1049dd7..4297345 100644 --- a/configure.ac +++ b/configure.ac @@ -81,8 +81,6 @@ if test x_$found_shibresolver = x_yes; then AX_CHECK_SHIBSP fi -AX_CHECK_OPENSSL - if test "x$acceptor" = "xyes" ; then AX_CHECK_RADSEC AX_CHECK_JANSSON diff --git a/libeap/Makefile.am b/libeap/Makefile.am index 8cc9fb5..163e4ff 100644 --- a/libeap/Makefile.am +++ b/libeap/Makefile.am @@ -1,6 +1,6 @@ AUTOMAKE_OPTIONS = foreign -AM_CPPFLAGS = -I$(srcdir)/src -I$(srcdir)/eap_example -I$(srcdir)/src/utils @OPENSSL_CFLAGS@ +AM_CPPFLAGS = -I$(srcdir)/src -I$(srcdir)/eap_example -I$(srcdir)/src/utils noinst_HEADERS = \ src/common/defs.h \ src/common/eapol_common.h \ @@ -19,7 +19,7 @@ SOURCES_BOTH += src/eap_common/eap_pax_common.c SOURCES_BOTH += src/eap_common/eap_sake_common.c SOURCES_BOTH += src/eap_common/eap_gpsk_common.c SOURCES_BOTH += src/eap_common/chap.c \ - src/eap_common/chap.h \ +src/eap_common/chap.h \ src/eap_common/eap_common.h \ src/eap_common/eap_defs.h \ src/eap_common/eap_fast_common.h \ @@ -93,9 +93,8 @@ CFLAGS += -DIEEE8021X_EAPOL CFLAGS += -DCONFIG_IPV6 CFLAGS += -DCONFIG_INTERNAL_LIBTOMMATH -CFLAGS += -DCONFIG_INTERNAL_SHA1 -CFLAGS += -DEAP_TLS_OPENSSL -CFLAGS += -DPKCS12_FUNCS +CFLAGS += -DCONFIG_CRYPTO_INTERNAL +CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT UTILS_SRCS = src/utils/base64.c \ src/utils/common.c \ @@ -129,30 +128,51 @@ CRYPTO_SRCS = \ src/crypto/aes-ctr.c \ src/crypto/aes-eax.c \ src/crypto/aes-encblock.c \ + src/crypto/aes-internal.c \ + src/crypto/aes-internal-dec.c \ + src/crypto/aes-internal-enc.c \ src/crypto/aes-omac1.c \ src/crypto/aes-unwrap.c \ src/crypto/aes-wrap.c \ + src/crypto/des-internal.c \ + src/crypto/dh_group5.c \ + src/crypto/dh_groups.c \ + src/crypto/md4-internal.c \ src/crypto/md5.c \ + src/crypto/md5-internal.c \ src/crypto/md5-non-fips.c \ src/crypto/milenage.c \ src/crypto/ms_funcs.c \ + src/crypto/rc4.c \ src/crypto/sha1.c \ + src/crypto/sha1-internal.c \ src/crypto/sha1-pbkdf2.c \ src/crypto/sha1-tlsprf.c \ src/crypto/sha1-tprf.c \ src/crypto/sha256.c \ - src/crypto/crypto_openssl.c \ - src/crypto/tls_openssl.c \ - src/crypto/aes.h \ - src/crypto/aes_i.h \ - src/crypto/aes_wrap.h \ - src/crypto/crypto.h \ - src/crypto/md5.h \ - src/crypto/milenage.h \ - src/crypto/ms_funcs.h \ - src/crypto/sha1.h \ - src/crypto/sha256.h \ - src/crypto/tls.h + src/crypto/sha256-internal.c \ + src/crypto/crypto_internal.c \ + src/crypto/crypto_internal-cipher.c \ + src/crypto/crypto_internal-modexp.c \ + src/crypto/crypto_internal-rsa.c \ + src/crypto/tls_internal.c \ + src/crypto/fips_prf_internal.c \ + src/crypto/aes.h \ + src/crypto/aes_i.h \ + src/crypto/aes_wrap.h \ + src/crypto/crypto.h \ + src/crypto/des_i.h \ + src/crypto/dh_group5.h \ + src/crypto/dh_groups.h \ + src/crypto/md5.h \ + src/crypto/md5_i.h \ + src/crypto/milenage.h \ + src/crypto/ms_funcs.h \ + src/crypto/sha1.h \ + src/crypto/sha1_i.h \ + src/crypto/sha256.h \ + src/crypto/tls.h + TLS_SRCS = \ src/tls/asn1.c \ @@ -171,21 +191,21 @@ TLS_SRCS = \ src/tls/tlsv1_server_read.c \ src/tls/tlsv1_server_write.c \ src/tls/x509v3.c \ - src/tls/asn1.h \ - src/tls/bignum.h \ - src/tls/pkcs1.h \ - src/tls/pkcs5.h \ - src/tls/pkcs8.h \ - src/tls/rsa.h \ - src/tls/tlsv1_client.h \ - src/tls/tlsv1_client_i.h \ - src/tls/tlsv1_common.h \ - src/tls/tlsv1_cred.h \ - src/tls/tlsv1_record.h \ - src/tls/tlsv1_server.h \ - src/tls/tlsv1_server_i.h \ - src/tls/x509v3.h - -libeap_la_SOURCES = $(SOURCES_BOTH) $(SOURCES_peer) $(UTILS_SRCS) $(CRYPTO_SRCS) + src/tls/asn1.h \ + src/tls/bignum.h \ + src/tls/pkcs1.h \ + src/tls/pkcs5.h \ + src/tls/pkcs8.h \ + src/tls/rsa.h \ + src/tls/tlsv1_client.h \ + src/tls/tlsv1_client_i.h \ + src/tls/tlsv1_common.h \ + src/tls/tlsv1_cred.h \ + src/tls/tlsv1_record.h \ + src/tls/tlsv1_server.h \ + src/tls/tlsv1_server_i.h \ + src/tls/x509v3.h + +libeap_la_SOURCES = $(SOURCES_BOTH) $(SOURCES_peer) $(UTILS_SRCS) $(CRYPTO_SRCS) $(TLS_SRCS) noinst_LTLIBRARIES = libeap.la diff --git a/mech_eap/Makefile.am b/mech_eap/Makefile.am index 720f79e..23de6af 100644 --- a/mech_eap/Makefile.am +++ b/mech_eap/Makefile.am @@ -42,14 +42,13 @@ mech_eap_la_CXXFLAGS += \ @TARGET_CFLAGS@ $(EAP_CFLAGS) mech_eap_la_LDFLAGS = -avoid-version -module \ -export-symbols $(GSSEAP_EXPORTS) -no-undefined \ - @KRB5_LDFLAGS@ @RADSEC_LDFLAGS@ @OPENSSL_LDFLAGS@ @TARGET_LDFLAGS@ + @KRB5_LDFLAGS@ @RADSEC_LDFLAGS@ @TARGET_LDFLAGS@ if TARGET_WINDOWS mech_eap_la_LDFLAGS += -debug endif mech_eap_la_LIBADD = @KRB5_LIBS@ ../libeap/libeap.la @RADSEC_LIBS@ \ - @OPENSAML_LIBS@ @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@ \ - @OPENSSL_LIBS@ + @OPENSAML_LIBS@ @SHIBRESOLVER_LIBS@ @SHIBSP_LIBS@ @JANSSON_LIBS@ mech_eap_la_SOURCES = \ acquire_cred.c \ acquire_cred_with_password.c \ diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h index eb7e7db..d1790a0 100644 --- a/mech_eap/gssapiP_eap.h +++ b/mech_eap/gssapiP_eap.h @@ -150,8 +150,6 @@ struct gss_name_struct #define CRED_FLAG_DEFAULT_CCACHE 0x00080000 #define CRED_FLAG_RESOLVED 0x00100000 #define CRED_FLAG_TARGET 0x00200000 -#define CRED_FLAG_CERTIFICATE 0x00400000 -#define CRED_FLAG_CONFIG_BLOB 0x00800000 #define CRED_FLAG_PUBLIC_MASK 0x0000FFFF #ifdef HAVE_HEIMDAL_VERSION @@ -172,8 +170,6 @@ struct gss_cred_id_struct gss_buffer_desc caCertificate; gss_buffer_desc subjectNameConstraint; gss_buffer_desc subjectAltNameConstraint; - gss_buffer_desc clientCertificate; - gss_buffer_desc privateKey; #ifdef GSSEAP_ENABLE_REAUTH krb5_ccache krbCredCache; gss_cred_id_t reauthCred; @@ -199,16 +195,11 @@ struct gss_cred_id_struct #define CTX_FLAG_EAP_ALT_REJECT 0x01000000 #define CTX_FLAG_EAP_MASK 0xFFFF0000 -#define CONFIG_BLOB_CLIENT_CERT 0 -#define CONFIG_BLOB_PRIVATE_KEY 1 -#define CONFIG_BLOB_MAX 2 - struct gss_eap_initiator_ctx { unsigned int idleWhile; struct eap_peer_config eapPeerConfig; struct eap_sm *eap; struct wpabuf reqData; - struct wpa_config_blob configBlobs[CONFIG_BLOB_MAX]; }; #ifdef GSSEAP_ENABLE_ACCEPTOR diff --git a/mech_eap/gssapi_eap.h b/mech_eap/gssapi_eap.h index 02f132f..588665b 100644 --- a/mech_eap/gssapi_eap.h +++ b/mech_eap/gssapi_eap.h @@ -78,13 +78,6 @@ extern gss_OID GSS_EAP_CRED_SET_CRED_FLAG; extern gss_OID GSS_EAP_CRED_SET_CRED_PASSWORD; /* - * Path to PKCS#12 private key file for use with EAP-TLS - * authentication. - */ -extern gss_OID GSS_EAP_CRED_SET_CRED_PRIVATE_KEY; - - -/* * Credentials flag indicating the local attributes * processing should be skipped. */ diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c index a67d381..e99b479 100644 --- a/mech_eap/init_sec_context.c +++ b/mech_eap/init_sec_context.c @@ -167,20 +167,10 @@ peerSetConfigBlob(void *ctx GSSEAP_UNUSED, } static const struct wpa_config_blob * -peerGetConfigBlob(void *ctx, - const char *name) +peerGetConfigBlob(void *ctx GSSEAP_UNUSED, + const char *name GSSEAP_UNUSED) { - gss_ctx_id_t gssCtx = (gss_ctx_id_t)ctx; - size_t index; - - if (strcmp(name, "client-cert") == 0) - index = CONFIG_BLOB_CLIENT_CERT; - else if (strcmp(name, "private-key") == 0) - index = CONFIG_BLOB_PRIVATE_KEY; - else - return NULL; - - return &gssCtx->initiatorCtx.configBlobs[index]; + return NULL; } static void @@ -210,7 +200,6 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) OM_uint32 major; krb5_context krbContext; struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig; - struct wpa_config_blob *configBlobs = ctx->initiatorCtx.configBlobs; gss_buffer_desc identity = GSS_C_EMPTY_BUFFER; gss_buffer_desc realm = GSS_C_EMPTY_BUFFER; gss_cred_id_t cred = ctx->cred; @@ -261,37 +250,14 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) eapPeerConfig->anonymous_identity_len = 1 + realm.length; /* password */ - if ((cred->flags & CRED_FLAG_CERTIFICATE) == 0) { - eapPeerConfig->password = (unsigned char *)cred->password.value; - eapPeerConfig->password_len = cred->password.length; - } + eapPeerConfig->password = (unsigned char *)cred->password.value; + eapPeerConfig->password_len = cred->password.length; /* certs */ eapPeerConfig->ca_cert = (unsigned char *)cred->caCertificate.value; eapPeerConfig->subject_match = (unsigned char *)cred->subjectNameConstraint.value; eapPeerConfig->altsubject_match = (unsigned char *)cred->subjectAltNameConstraint.value; - if (cred->flags & CRED_FLAG_CERTIFICATE) { - /* - * CRED_FLAG_CONFIG_BLOB is an internal flag which will be used in the - * future to directly pass certificate and private key data to the - * EAP implementation, rather than an indirected string pointer. - */ - if (cred->flags & CRED_FLAG_CONFIG_BLOB) { - eapPeerConfig->client_cert = (unsigned char *)"blob://client-cert"; - configBlobs[CONFIG_BLOB_CLIENT_CERT].data = cred->clientCertificate.value; - configBlobs[CONFIG_BLOB_CLIENT_CERT].len = cred->clientCertificate.length; - - eapPeerConfig->client_cert = (unsigned char *)"blob://private-key"; - configBlobs[CONFIG_BLOB_PRIVATE_KEY].data = cred->clientCertificate.value; - configBlobs[CONFIG_BLOB_PRIVATE_KEY].len = cred->privateKey.length; - } else { - eapPeerConfig->client_cert = (unsigned char *)cred->clientCertificate.value; - eapPeerConfig->private_key = (unsigned char *)cred->privateKey.value; - } - eapPeerConfig->private_key_passwd = (unsigned char *)cred->password.value; - } - *minor = 0; return GSS_S_COMPLETE; } diff --git a/mech_eap/set_cred_option.c b/mech_eap/set_cred_option.c index 98bb482..7bb9b7b 100644 --- a/mech_eap/set_cred_option.c +++ b/mech_eap/set_cred_option.c @@ -121,15 +121,6 @@ setCredPassword(OM_uint32 *minor, return gssEapSetCredPassword(minor, cred, buffer); } -static OM_uint32 -setCredPrivateKey(OM_uint32 *minor, - gss_cred_id_t cred, - const gss_OID oid GSSEAP_UNUSED, - const gss_buffer_t buffer) -{ - return gssEapSetCredClientCertificate(minor, cred, GSS_C_NO_BUFFER, buffer); -} - static struct { gss_OID_desc oid; OM_uint32 (*setOption)(OM_uint32 *, gss_cred_id_t cred, @@ -155,18 +146,12 @@ static struct { { 11, "\x2B\x06\x01\x04\x01\xA9\x4A\x16\x03\x03\x04" }, setCredPassword, }, - /* 1.3.6.1.4.1.5322.22.3.3.5 */ - { - { 11, "\x2B\x06\x01\x04\x01\xA9\x4A\x16\x03\x03\x05" }, - setCredPrivateKey, - }, }; gss_OID GSS_EAP_CRED_SET_RADIUS_CONFIG_FILE = &setCredOps[0].oid; gss_OID GSS_EAP_CRED_SET_RADIUS_CONFIG_STANZA = &setCredOps[1].oid; gss_OID GSS_EAP_CRED_SET_CRED_FLAG = &setCredOps[2].oid; gss_OID GSS_EAP_CRED_SET_CRED_PASSWORD = &setCredOps[3].oid; -gss_OID GSS_EAP_CRED_SET_CRED_PRIVATE_KEY = &setCredOps[4].oid; OM_uint32 GSSAPI_CALLCONV gssspi_set_cred_option(OM_uint32 *minor, diff --git a/mech_eap/util.h b/mech_eap/util.h index 7a6c094..4f54d41 100644 --- a/mech_eap/util.h +++ b/mech_eap/util.h @@ -270,12 +270,6 @@ gssEapSetCredPassword(OM_uint32 *minor, const gss_buffer_t password); OM_uint32 -gssEapSetCredClientCertificate(OM_uint32 *minor, - gss_cred_id_t cred, - const gss_buffer_t clientCert, - const gss_buffer_t privateKey); - -OM_uint32 gssEapSetCredService(OM_uint32 *minor, gss_cred_id_t cred, const gss_name_t target); diff --git a/mech_eap/util_cred.c b/mech_eap/util_cred.c index 8f8b99b..746bd61 100644 --- a/mech_eap/util_cred.c +++ b/mech_eap/util_cred.c @@ -104,8 +104,6 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred) gss_release_buffer(&tmpMinor, &cred->caCertificate); gss_release_buffer(&tmpMinor, &cred->subjectNameConstraint); gss_release_buffer(&tmpMinor, &cred->subjectAltNameConstraint); - gss_release_buffer(&tmpMinor, &cred->clientCertificate); - gss_release_buffer(&tmpMinor, &cred->privateKey); #ifdef GSSEAP_ENABLE_REAUTH if (cred->krbCredCache != NULL) { @@ -130,8 +128,7 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred) static OM_uint32 readStaticIdentityFile(OM_uint32 *minor, gss_buffer_t defaultIdentity, - gss_buffer_t defaultPassword, - gss_buffer_t defaultPrivateKey) + gss_buffer_t defaultPassword) { OM_uint32 major, tmpMinor; FILE *fp = NULL; @@ -151,11 +148,6 @@ readStaticIdentityFile(OM_uint32 *minor, defaultPassword->value = NULL; } - if (defaultPrivateKey != GSS_C_NO_BUFFER) { - defaultPrivateKey->length = 0; - defaultPrivateKey->value = NULL; - } - ccacheName = getenv("GSSEAP_IDENTITY"); if (ccacheName == NULL) { #ifdef WIN32 @@ -211,8 +203,6 @@ readStaticIdentityFile(OM_uint32 *minor, dst = defaultIdentity; else if (i == 1) dst = defaultPassword; - else if (i == 2) - dst = defaultPrivateKey; else break; @@ -241,7 +231,6 @@ cleanup: if (GSS_ERROR(major)) { gss_release_buffer(&tmpMinor, defaultIdentity); zeroAndReleasePassword(defaultPassword); - gss_release_buffer(&tmpMinor, defaultPrivateKey); } memset(buf, 0, sizeof(buf)); @@ -382,8 +371,7 @@ staticIdentityFileResolveDefaultIdentity(OM_uint32 *minor, *pName = GSS_C_NO_NAME; - major = readStaticIdentityFile(minor, &defaultIdentity, - GSS_C_NO_BUFFER, GSS_C_NO_BUFFER); + major = readStaticIdentityFile(minor, &defaultIdentity, GSS_C_NO_BUFFER); if (major == GSS_S_COMPLETE) { major = gssEapImportName(minor, &defaultIdentity, GSS_C_NT_USER_NAME, nameMech, pName); @@ -547,68 +535,6 @@ cleanup: return major; } -/* - * Currently only the privateKey path is exposed to the application - * (via gss_set_cred_option() or the third line in ~/.gss_eap_id). - * At some point in the future we may add support for setting the - * client certificate separately. - */ -OM_uint32 -gssEapSetCredClientCertificate(OM_uint32 *minor, - gss_cred_id_t cred, - const gss_buffer_t clientCert, - const gss_buffer_t privateKey) -{ - OM_uint32 major, tmpMinor; - gss_buffer_desc newClientCert = GSS_C_EMPTY_BUFFER; - gss_buffer_desc newPrivateKey = GSS_C_EMPTY_BUFFER; - - if (cred->flags & CRED_FLAG_RESOLVED) { - major = GSS_S_FAILURE; - *minor = GSSEAP_CRED_RESOLVED; - goto cleanup; - } - - if (clientCert == GSS_C_NO_BUFFER && - privateKey == GSS_C_NO_BUFFER) { - cred->flags &= ~(CRED_FLAG_CERTIFICATE); - major = GSS_S_COMPLETE; - *minor = 0; - goto cleanup; - } - - if (clientCert != GSS_C_NO_BUFFER) { - major = duplicateBuffer(minor, clientCert, &newClientCert); - if (GSS_ERROR(major)) - goto cleanup; - } - - if (privateKey != GSS_C_NO_BUFFER) { - major = duplicateBuffer(minor, privateKey, &newPrivateKey); - if (GSS_ERROR(major)) - goto cleanup; - } - - cred->flags |= CRED_FLAG_CERTIFICATE; - - gss_release_buffer(&tmpMinor, &cred->clientCertificate); - cred->clientCertificate = newClientCert; - - gss_release_buffer(&tmpMinor, &cred->privateKey); - cred->privateKey = newPrivateKey; - - major = GSS_S_COMPLETE; - *minor = 0; - -cleanup: - if (GSS_ERROR(major)) { - gss_release_buffer(&tmpMinor, &newClientCert); - gss_release_buffer(&tmpMinor, &newPrivateKey); - } - - return major; -} - OM_uint32 gssEapSetCredService(OM_uint32 *minor, gss_cred_id_t cred, @@ -693,10 +619,6 @@ gssEapDuplicateCred(OM_uint32 *minor, duplicateBufferOrCleanup(&src->subjectNameConstraint, &dst->subjectNameConstraint); if (src->subjectAltNameConstraint.value != NULL) duplicateBufferOrCleanup(&src->subjectAltNameConstraint, &dst->subjectAltNameConstraint); - if (src->clientCertificate.value != NULL) - duplicateBufferOrCleanup(&src->clientCertificate, &dst->clientCertificate); - if (src->privateKey.value != NULL) - duplicateBufferOrCleanup(&src->privateKey, &dst->privateKey); #ifdef GSSEAP_ENABLE_REAUTH /* XXX krbCredCache, reauthCred */ @@ -721,11 +643,9 @@ staticIdentityFileResolveInitiatorCred(OM_uint32 *minor, gss_cred_id_t cred) gss_buffer_desc defaultIdentity = GSS_C_EMPTY_BUFFER; gss_name_t defaultIdentityName = GSS_C_NO_NAME; gss_buffer_desc defaultPassword = GSS_C_EMPTY_BUFFER; - gss_buffer_desc defaultPrivateKey = GSS_C_EMPTY_BUFFER; int isDefaultIdentity = FALSE; - major = readStaticIdentityFile(minor, &defaultIdentity, - &defaultPassword, &defaultPrivateKey); + major = readStaticIdentityFile(minor, &defaultIdentity, &defaultPassword); if (GSS_ERROR(major)) goto cleanup; @@ -753,26 +673,17 @@ staticIdentityFileResolveInitiatorCred(OM_uint32 *minor, gss_cred_id_t cred) } } - if (isDefaultIdentity) { - if (defaultPrivateKey.length != 0) { - major = gssEapSetCredClientCertificate(minor, cred, GSS_C_NO_BUFFER, - &defaultPrivateKey); - if (GSS_ERROR(major)) - goto cleanup; - } - - if ((cred->flags & CRED_FLAG_PASSWORD) == 0) { - major = gssEapSetCredPassword(minor, cred, &defaultPassword); - if (GSS_ERROR(major)) - goto cleanup; - } + if (isDefaultIdentity && + (cred->flags & CRED_FLAG_PASSWORD) == 0) { + major = gssEapSetCredPassword(minor, cred, &defaultPassword); + if (GSS_ERROR(major)) + goto cleanup; } cleanup: gssEapReleaseName(&tmpMinor, &defaultIdentityName); zeroAndReleasePassword(&defaultPassword); gss_release_buffer(&tmpMinor, &defaultIdentity); - gss_release_buffer(&tmpMinor, &defaultPrivateKey); return major; } @@ -823,8 +734,7 @@ gssEapResolveInitiatorCred(OM_uint32 *minor, goto cleanup; /* If we have a caller-supplied password, the credential is resolved. */ - if ((resolvedCred->flags & - (CRED_FLAG_PASSWORD | CRED_FLAG_CERTIFICATE)) == 0) { + if ((resolvedCred->flags & CRED_FLAG_PASSWORD) == 0) { major = GSS_S_CRED_UNAVAIL; *minor = GSSEAP_NO_DEFAULT_CRED; goto cleanup;