From: Luke Howard Date: Sun, 2 Jan 2011 07:45:54 +0000 (+1100) Subject: Get default credentials for acceptor context too X-Git-Tag: vm/20110310~68 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=mech_eap.orig;a=commitdiff_plain;h=bb9927f5ce8a09c29d449cfacc6f5309c42c06e0 Get default credentials for acceptor context too --- diff --git a/accept_sec_context.c b/accept_sec_context.c index bdf86ea..bbce729 100644 --- a/accept_sec_context.c +++ b/accept_sec_context.c @@ -143,7 +143,7 @@ eapGssSmAcceptIdentity(OM_uint32 *minor, assert(ctx->acceptorName == GSS_C_NO_NAME); - if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) { + if (cred->name != GSS_C_NO_NAME) { major = gssEapDuplicateName(minor, cred->name, &ctx->acceptorName); if (GSS_ERROR(major)) return major; @@ -284,12 +284,10 @@ createRadiusHandle(OM_uint32 *minor, return GSS_S_FAILURE; } - if (cred != GSS_C_NO_CREDENTIAL) { - if (cred->radiusConfigFile != NULL) - configFile = cred->radiusConfigFile; - if (cred->radiusConfigStanza != NULL) - configStanza = cred->radiusConfigStanza; - } + if (cred->radiusConfigFile != NULL) + configFile = cred->radiusConfigFile; + if (cred->radiusConfigStanza != NULL) + configStanza = cred->radiusConfigStanza; ralloc.calloc = GSSEAP_CALLOC; ralloc.malloc = GSSEAP_MALLOC; @@ -594,17 +592,26 @@ gss_accept_sec_context(OM_uint32 *minor, GSSEAP_MUTEX_LOCK(&ctx->mutex); - /* Validate and lock credentials */ - if (cred != GSS_C_NO_CREDENTIAL) { - GSSEAP_MUTEX_LOCK(&cred->mutex); - - if ((cred->flags & CRED_FLAG_ACCEPT) == 0) { - *minor = GSSEAP_CRED_USAGE_MISMATCH; - major = GSS_S_NO_CRED; - goto cleanup; + if (cred == GSS_C_NO_CREDENTIAL) { + if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) { + major = gssEapAcquireCred(minor, + GSS_C_NO_NAME, + GSS_C_NO_BUFFER, + GSS_C_INDEFINITE, + GSS_C_NO_OID_SET, + GSS_C_ACCEPT, + &ctx->defaultCred, + NULL, + NULL); + if (GSS_ERROR(major)) + goto cleanup; } + + cred = ctx->defaultCred; } + GSSEAP_MUTEX_LOCK(&cred->mutex); + sm = &eapGssAcceptorSm[ctx->state]; major = gssEapVerifyToken(minor, ctx, input_token, @@ -720,7 +727,7 @@ acceptReadyKrb(OM_uint32 *minor, if (GSS_ERROR(major)) return major; - if (cred != GSS_C_NO_CREDENTIAL && cred->name != GSS_C_NO_NAME) { + if (cred->name != GSS_C_NO_NAME) { major = gssEapDuplicateName(minor, cred->name, &ctx->acceptorName); if (GSS_ERROR(major)) return major; @@ -745,19 +752,15 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor, gss_buffer_t outputToken) { OM_uint32 major, tmpMinor; - gss_cred_id_t krbCred = GSS_C_NO_CREDENTIAL; gss_name_t krbInitiator = GSS_C_NO_NAME; gss_OID mech = GSS_C_NO_OID; OM_uint32 gssFlags, timeRec = GSS_C_INDEFINITE; ctx->flags |= CTX_FLAG_KRB_REAUTH; - if (cred != GSS_C_NO_CREDENTIAL) - krbCred = cred->krbCred; - major = gssAcceptSecContext(minor, &ctx->kerberosCtx, - krbCred, + cred->krbCred, inputToken, chanBindings, &krbInitiator, diff --git a/gssapiP_eap.h b/gssapiP_eap.h index eed57a1..65d01bf 100644 --- a/gssapiP_eap.h +++ b/gssapiP_eap.h @@ -166,7 +166,6 @@ enum gss_eap_state { #define CTX_FLAG_EAP_MASK 0xFFFF0000 struct gss_eap_initiator_ctx { - gss_cred_id_t defaultCred; unsigned int idleWhile; #ifndef __cplusplus struct eap_peer_config eapPeerConfig; @@ -202,6 +201,7 @@ struct gss_ctx_id_struct time_t expiryTime; uint64_t sendSeq, recvSeq; void *seqState; + gss_cred_id_t defaultCred; union { struct gss_eap_initiator_ctx initiator; #define initiatorCtx ctxU.initiator diff --git a/init_sec_context.c b/init_sec_context.c index b46f981..ae0a65c 100644 --- a/init_sec_context.c +++ b/init_sec_context.c @@ -671,7 +671,6 @@ gss_init_sec_context(OM_uint32 *minor, gss_buffer_desc innerInputToken; gss_buffer_desc innerOutputToken = GSS_C_EMPTY_BUFFER; enum gss_eap_token_type tokType; - gss_cred_id_t defaultCred = GSS_C_NO_CREDENTIAL; int initialContextToken = 0; *minor = 0; @@ -698,21 +697,21 @@ gss_init_sec_context(OM_uint32 *minor, GSSEAP_MUTEX_LOCK(&ctx->mutex); if (cred == GSS_C_NO_CREDENTIAL) { - if (ctx->initiatorCtx.defaultCred == GSS_C_NO_CREDENTIAL) { + if (ctx->defaultCred == GSS_C_NO_CREDENTIAL) { major = gssEapAcquireCred(minor, GSS_C_NO_NAME, GSS_C_NO_BUFFER, time_req, GSS_C_NO_OID_SET, GSS_C_INITIATE, - &defaultCred, + &ctx->defaultCred, NULL, NULL); if (GSS_ERROR(major)) goto cleanup; } - cred = ctx->initiatorCtx.defaultCred; + cred = ctx->defaultCred; } GSSEAP_MUTEX_LOCK(&cred->mutex); diff --git a/util_context.c b/util_context.c index 9fa64c8..e54203f 100644 --- a/util_context.c +++ b/util_context.c @@ -80,9 +80,6 @@ gssEapAllocContext(OM_uint32 *minor, static void releaseInitiatorContext(struct gss_eap_initiator_ctx *ctx) { - OM_uint32 minor; - - gssEapReleaseCred(&minor, &ctx->defaultCred); eap_peer_sm_deinit(ctx->eap); } @@ -132,6 +129,7 @@ gssEapReleaseContext(OM_uint32 *minor, gssEapReleaseName(&tmpMinor, &ctx->acceptorName); gss_release_oid(&tmpMinor, &ctx->mechanismUsed); sequenceFree(&tmpMinor, &ctx->seqState); + gssEapReleaseCred(&tmpMinor, &ctx->defaultCred); GSSEAP_MUTEX_DESTROY(&ctx->mutex);