projects / mech_eap.orig / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
cleanup unused parameter warnings
[mech_eap.orig] / util_cred.c
diff --git a/util_cred.c b/util_cred.c
index 984ebac..6330118 100644 (file)
--- a/util_cred.c
+++ b/util_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,6 +30,10 @@
  * SUCH DAMAGE.
  */
 
+/*
+ * Utility routines for credential handles.
+ */
+
 #include "gssapiP_eap.h"
 
 OM_uint32
@@ -38,7 +42,7 @@ gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred)
     OM_uint32 tmpMinor;
     gss_cred_id_t cred;
 
-    assert(*pCred == GSS_C_NO_CREDENTIAL);
+    *pCred = GSS_C_NO_CREDENTIAL;
 
     cred = (gss_cred_id_t)GSSEAP_CALLOC(1, sizeof(*cred));
     if (cred == NULL) {
@@ -52,8 +56,6 @@ gssEapAllocCred(OM_uint32 *minor, gss_cred_id_t *pCred)
         return GSS_S_FAILURE;
     }
 
-    cred->expiryTime = ~0;
-
     *pCred = cred;
 
     *minor = 0;
@@ -65,11 +67,14 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred)
 {
     OM_uint32 tmpMinor;
     gss_cred_id_t cred = *pCred;
+    krb5_context krbContext = NULL;
 
     if (cred == GSS_C_NO_CREDENTIAL) {
         return GSS_S_COMPLETE;
     }
 
+    GSSEAP_KRB_INIT(&krbContext);
+
     gssEapReleaseName(&tmpMinor, &cred->name);
 
     if (cred->password.value != NULL) {
@@ -77,6 +82,22 @@ gssEapReleaseCred(OM_uint32 *minor, gss_cred_id_t *pCred)
         GSSEAP_FREE(cred->password.value);
     }
 
+    if (cred->radiusConfigFile != NULL)
+        GSSEAP_FREE(cred->radiusConfigFile);
+    if (cred->radiusConfigStanza != NULL)
+        GSSEAP_FREE(cred->radiusConfigStanza);
+
+#ifdef GSSEAP_ENABLE_REAUTH
+    if (cred->krbCredCache != NULL) {
+        if (cred->flags & CRED_FLAG_DEFAULT_CCACHE)
+            krb5_cc_close(krbContext, cred->krbCredCache);
+        else
+            krb5_cc_destroy(krbContext, cred->krbCredCache);
+    }
+    if (cred->krbCred != GSS_C_NO_CREDENTIAL)
+        gssReleaseCred(&tmpMinor, &cred->krbCred);
+#endif
+
     GSSEAP_MUTEX_DESTROY(&cred->mutex);
     memset(cred, 0, sizeof(*cred));
     GSSEAP_FREE(cred);
@@ -90,7 +111,7 @@ OM_uint32
 gssEapAcquireCred(OM_uint32 *minor,
                   const gss_name_t desiredName,
                   const gss_buffer_t password,
-                  OM_uint32 timeReq,
+                  OM_uint32 timeReq GSSEAP_UNUSED,
                   const gss_OID_set desiredMechs,
                   int credUsage,
                   gss_cred_id_t *pCred,
@@ -100,17 +121,71 @@ gssEapAcquireCred(OM_uint32 *minor,
     OM_uint32 major, tmpMinor;
     gss_cred_id_t cred;
 
+    /* XXX TODO validate with changed set_cred_option API */
     *pCred = GSS_C_NO_CREDENTIAL;
 
     major = gssEapAllocCred(minor, &cred);
     if (GSS_ERROR(major))
         goto cleanup;
 
+    switch (credUsage) {
+    case GSS_C_BOTH:
+        cred->flags |= CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT;
+        break;
+    case GSS_C_INITIATE:
+        cred->flags |= CRED_FLAG_INITIATE;
+        break;
+    case GSS_C_ACCEPT:
+        cred->flags |= CRED_FLAG_ACCEPT;
+        break;
+    default:
+        major = GSS_S_FAILURE;
+        *minor = GSSEAP_BAD_USAGE;
+        goto cleanup;
+        break;
+    }
+
     if (desiredName != GSS_C_NO_NAME) {
-        major = gss_duplicate_name(minor, desiredName, &cred->name);
-        if (GSS_ERROR(major))
+        GSSEAP_MUTEX_LOCK(&desiredName->mutex);
+
+        major = gssEapDuplicateName(minor, desiredName, &cred->name);
+        if (GSS_ERROR(major)) {
+            GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
             goto cleanup;
+        }
+
+        GSSEAP_MUTEX_UNLOCK(&desiredName->mutex);
     } else {
+        gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
+        gss_OID nameType = GSS_C_NO_OID;
+
+        if (cred->flags & CRED_FLAG_ACCEPT) {
+            char serviceName[5 + MAXHOSTNAMELEN] = "host@";
+
+            /* default host-based service is host@localhost */
+            if (gethostname(&serviceName[5], MAXHOSTNAMELEN) != 0) {
+                major = GSS_S_FAILURE;
+                *minor = GSSEAP_NO_HOSTNAME;
+                goto cleanup;
+            }
+
+            nameBuf.value = serviceName;
+            nameBuf.length = strlen((char *)nameBuf.value);
+
+            nameType = GSS_C_NT_HOSTBASED_SERVICE;
+        } else if (cred->flags & CRED_FLAG_INITIATE) {
+            nameBuf.value = getlogin(); /* XXX */
+            nameBuf.length = strlen((char *)nameBuf.value);
+
+            nameType = GSS_C_NT_USER_NAME;
+        }
+
+        if (nameBuf.length != 0) {
+            major = gssEapImportName(minor, &nameBuf, nameType, &cred->name);
+            if (GSS_ERROR(major))
+                goto cleanup;
+        }
+
         cred->flags |= CRED_FLAG_DEFAULT_IDENTITY;
     }
 
@@ -120,6 +195,18 @@ gssEapAcquireCred(OM_uint32 *minor,
             goto cleanup;
 
         cred->flags |= CRED_FLAG_PASSWORD;
+    } else if (cred->flags & CRED_FLAG_INITIATE) {
+        /*
+         * OK, here we need to ask the supplicant if we have creds or it
+         * will acquire them, so GS2 can know whether to prompt for a
+         * password or not.
+         */
+#if 0
+        && !gssEapCanReauthP(cred, GSS_C_NO_NAME, timeReq)
+#endif
+        major = GSS_S_CRED_UNAVAIL;
+        *minor = GSSEAP_MISSING_PASSWORD;
+        goto cleanup;
     }
 
     major = gssEapValidateMechs(minor, desiredMechs);
@@ -130,22 +217,6 @@ gssEapAcquireCred(OM_uint32 *minor,
     if (GSS_ERROR(major))
         goto cleanup;
 
-    switch (credUsage) {
-    case GSS_C_BOTH:
-        cred->flags |= CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT;
-        break;
-    case GSS_C_INITIATE:
-        cred->flags |= CRED_FLAG_INITIATE;
-        break;
-    case GSS_C_ACCEPT:
-        cred->flags |= CRED_FLAG_ACCEPT;
-        break;
-    default:
-        major = GSS_S_FAILURE;
-        goto cleanup;
-        break;
-    }
-
     if (pActualMechs != NULL) {
         major = duplicateOidSet(minor, cred->mechanisms, pActualMechs);
         if (GSS_ERROR(major))
@@ -156,7 +227,9 @@ gssEapAcquireCred(OM_uint32 *minor,
         *timeRec = GSS_C_INDEFINITE;
 
     *pCred = cred;
+
     major = GSS_S_COMPLETE;
+    *minor = 0;
 
 cleanup:
     if (GSS_ERROR(major))
@@ -164,3 +237,23 @@ cleanup:
 
     return major;
 }
+
+/*
+ * Return TRUE if cred available for mechanism. Caller need no acquire
+ * lock because mechanisms list is immutable.
+ */
+int
+gssEapCredAvailable(gss_cred_id_t cred, gss_OID mech)
+{
+    OM_uint32 minor;
+    int present = 0;
+
+    assert(mech != GSS_C_NO_OID);
+
+    if (cred == GSS_C_NO_CREDENTIAL || cred->mechanisms == GSS_C_NO_OID_SET)
+        return TRUE;
+
+    gss_test_oid_set_member(&minor, mech, cred->mechanisms, &present);
+
+    return present;
+}
Moonshot GSS-API mechanism