From: Luke Howard <lukeh@padl.com>
Date: Thu, 31 Mar 2011 07:30:26 +0000 (+1100)
Subject: Use empty name for anonymous name
X-Git-Tag: tr-beta1~216
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=moonshot.git;a=commitdiff_plain;h=4b97ddb7f7cb8136aee0b7d8368f482240c8dafb

Use empty name for anonymous name
---

diff --git a/mech_eap/TODO b/mech_eap/TODO
index 205440e..d622364 100644
--- a/mech_eap/TODO
+++ b/mech_eap/TODO
@@ -1,3 +1,7 @@
 - integration with initiator-side EAP channel bindings
 - integration with final supplicant architecture
 - test Heimdal port
+
+- fix ABNF: no slash in the case where there is no host
+- specify anonymous behaviour: use empty name
+
diff --git a/mech_eap/util.h b/mech_eap/util.h
index 1c1b585..1a51d6f 100644
--- a/mech_eap/util.h
+++ b/mech_eap/util.h
@@ -337,9 +337,6 @@ rfc3961ChecksumTypeForKey(OM_uint32 *minor,
                           krb5_keyblock *key,
                           krb5_cksumtype *cksumtype);
 
-krb5_const_principal
-krbAnonymousPrincipal(void);
-
 krb5_error_code
 krbCryptoLength(krb5_context krbContext,
 #ifdef HAVE_HEIMDAL_VERSION
diff --git a/mech_eap/util_krb.c b/mech_eap/util_krb.c
index abc9e61..88ad6dd 100644
--- a/mech_eap/util_krb.c
+++ b/mech_eap/util_krb.c
@@ -300,26 +300,6 @@ rfc3961ChecksumTypeForKey(OM_uint32 *minor,
     return GSS_S_COMPLETE;
 }
 
-#ifdef HAVE_HEIMDAL_VERSION
-static heim_general_string krbAnonymousPrincipalComponents[] =
-    { KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME };
-
-static const Principal krbAnonymousPrincipalData = {
-    { KRB5_NT_WELLKNOWN, { 2, krbAnonymousPrincipalComponents } },
-    "WELLKNOWN:ANONYMOUS"
-};
-#endif
-
-krb5_const_principal
-krbAnonymousPrincipal(void)
-{
-#ifdef HAVE_HEIMDAL_VERSION
-    return &krbAnonymousPrincipalData;
-#else
-    return krb5_anonymous_principal();
-#endif
-}
-
 krb5_error_code
 krbCryptoLength(krb5_context krbContext,
 #ifdef HAVE_HEIMDAL_VERSION
diff --git a/mech_eap/util_name.c b/mech_eap/util_name.c
index 7950d0b..64931a2 100644
--- a/mech_eap/util_name.c
+++ b/mech_eap/util_name.c
@@ -226,19 +226,14 @@ importEapNameFlags(OM_uint32 *minor,
     krb5_context krbContext;
     krb5_principal krbPrinc = NULL;
     krb5_error_code code;
+    char *nameString;
 
     GSSEAP_KRB_INIT(&krbContext);
 
     if (nameBuffer == GSS_C_NO_BUFFER) {
-        code = krb5_copy_principal(krbContext,
-                                   krbAnonymousPrincipal(), &krbPrinc);
-        if (code != 0) {
-            *minor = code;
-            return GSS_S_FAILURE;
-        }
+        nameString = "";
+        code = KRB5_PARSE_MALFORMED;
     } else {
-        char *nameString;
-
         major = bufferToString(minor, nameBuffer, &nameString);
         if (GSS_ERROR(major))
             return major;
@@ -250,39 +245,41 @@ importEapNameFlags(OM_uint32 *minor,
          * Kerberos prevents the default realm being set to an empty value.)
          */
         code = krb5_parse_name_flags(krbContext, nameString,
-                                     KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &krbPrinc);
-        if (code == KRB5_PARSE_MALFORMED) {
-            char *defaultRealm = NULL;
-            int parseFlags = 0;
+                                  KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &krbPrinc);
+    }
 
-            /* Possibly append the default EAP realm if required */
-            if (importFlags & IMPORT_FLAG_DEFAULT_REALM)
-                defaultRealm = gssEapGetDefaultRealm(krbContext);
+    if (code == KRB5_PARSE_MALFORMED) {
+        char *defaultRealm = NULL;
+        int parseFlags = 0;
 
-            /* If no default realm, leave the realm empty in the parsed name */
-            if (defaultRealm == NULL || defaultRealm[0] == '\0')
-                parseFlags |= KRB5_PRINCIPAL_PARSE_NO_REALM;
+        /* Possibly append the default EAP realm if required */
+        if (importFlags & IMPORT_FLAG_DEFAULT_REALM)
+            defaultRealm = gssEapGetDefaultRealm(krbContext);
 
-            code = krb5_parse_name_flags(krbContext, nameString, parseFlags, &krbPrinc);
+        /* If no default realm, leave the realm empty in the parsed name */
+        if (defaultRealm == NULL || defaultRealm[0] == '\0')
+            parseFlags |= KRB5_PRINCIPAL_PARSE_NO_REALM;
+
+        code = krb5_parse_name_flags(krbContext, nameString, parseFlags, &krbPrinc);
 
 #ifdef HAVE_HEIMDAL_VERSION
-            if (code == 0 && KRB_PRINC_REALM(krbPrinc) == NULL) {
-                KRB_PRINC_REALM(krbPrinc) = GSSEAP_CALLOC(1, sizeof(char));
-                if (KRB_PRINC_REALM(krbPrinc) == NULL)
-                    code = ENOMEM;
-            }
+        if (code == 0 && KRB_PRINC_REALM(krbPrinc) == NULL) {
+            KRB_PRINC_REALM(krbPrinc) = GSSEAP_CALLOC(1, sizeof(char));
+            if (KRB_PRINC_REALM(krbPrinc) == NULL)
+                code = ENOMEM;
+        }
 #endif
 
-            if (defaultRealm != NULL)
-                GSSEAP_FREE(defaultRealm);
-        }
+        if (defaultRealm != NULL)
+            GSSEAP_FREE(defaultRealm);
+    }
 
+    if (nameBuffer != GSS_C_NO_BUFFER)
         GSSEAP_FREE(nameString);
 
-        if (code != 0) {
-            *minor = code;
-            return GSS_S_FAILURE;
-        }
+    if (code != 0) {
+        *minor = code;
+        return GSS_S_FAILURE;
     }
 
     assert(krbPrinc != NULL);
@@ -736,9 +733,7 @@ gssEapDisplayName(OM_uint32 *minor,
 
     krb5_free_unparsed_name(krbContext, krbName);
 
-    if (KRB_PRINC_TYPE(name->krbPrincipal) == KRB5_NT_WELLKNOWN &&
-        krb5_principal_compare(krbContext,
-                               name->krbPrincipal, krbAnonymousPrincipal())) {
+    if (KRB_PRINC_LENGTH(name->krbPrincipal) == 0) {
         name_type = GSS_C_NT_ANONYMOUS;
     } else {
         name_type = GSS_EAP_NT_EAP_NAME;