From 19d7957ee7eb2f18afac79d60dc8e0049c85ea7a Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Fri, 18 Mar 2011 01:40:21 +1100
Subject: [PATCH] require a realm in EAP names; don't add default Kerberos
 realm

---
 mech_eap/README      | 3 ++-
 mech_eap/util_cred.c | 7 +++++--
 mech_eap/util_name.c | 4 +++-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/mech_eap/README b/mech_eap/README
index 3e5e4eb..c145c33 100644
--- a/mech_eap/README
+++ b/mech_eap/README
@@ -112,7 +112,8 @@ appropriately (<host> is the name of the host running the server,
 not the RADIUS server).
 
 % gss-client -port 5555 -spnego -mech "{1 3 6 1 4 1 5322 22 1 18}" \
-  -user <user> -pass <pass> <host> host@<host> "Testing GSS EAP"
+  -user <user>@<realm> -pass <pass> <host> host@<host> \
+  "Testing GSS EAP"
 % gss-server -port 5555 -export host@<host>
 
 Note: for SASL you will be prompted for a username and password.
diff --git a/mech_eap/util_cred.c b/mech_eap/util_cred.c
index 3b06a53..0a2108b 100644
--- a/mech_eap/util_cred.c
+++ b/mech_eap/util_cred.c
@@ -161,6 +161,7 @@ gssEapAcquireCred(OM_uint32 *minor,
     } else {
         gss_buffer_desc nameBuf = GSS_C_EMPTY_BUFFER;
         gss_OID nameType = GSS_C_NO_OID;
+        char loginName[256];
 
         if (cred->flags & CRED_FLAG_ACCEPT) {
             char serviceName[5 + MAXHOSTNAMELEN] = "host@";
@@ -177,8 +178,10 @@ gssEapAcquireCred(OM_uint32 *minor,
 
             nameType = GSS_C_NT_HOSTBASED_SERVICE;
         } else if (cred->flags & CRED_FLAG_INITIATE) {
-            nameBuf.value = getlogin(); /* XXX */
-            nameBuf.length = strlen((char *)nameBuf.value);
+            /* XXX FIXME temporary implementation */
+            snprintf(loginName, sizeof(loginName), "%s@", getlogin());
+            nameBuf.value = loginName;
+            nameBuf.length = strlen(loginName);
 
             nameType = GSS_C_NT_USER_NAME;
         }
diff --git a/mech_eap/util_name.c b/mech_eap/util_name.c
index 85f8b3f..fa5b108 100644
--- a/mech_eap/util_name.c
+++ b/mech_eap/util_name.c
@@ -210,7 +210,9 @@ importUserName(OM_uint32 *minor,
         if (GSS_ERROR(major))
             return major;
 
-        *minor = krb5_parse_name(krbContext, nameString, &krbPrinc);
+        *minor = krb5_parse_name_flags(krbContext, nameString,
+                                       KRB5_PRINCIPAL_PARSE_REQUIRE_REALM,
+                                       &krbPrinc);
         if (*minor != 0) {
             GSSEAP_FREE(nameString);
             return GSS_S_FAILURE;
-- 
2.1.4