From f6870509a7e410568b3b8eba1b05333dc8821830 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Tue, 3 Jun 2003 15:22:58 +0000 Subject: [PATCH] (init_auth): if the cred is expired before we tries to create a token, fail so the peer doesn't need reject us (*): make sure time is returned in seconds from now, not in kerberos time (repl_mutual): remember to unlock the context mutex git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12345 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/gssapi/init_sec_context.c | 46 +++++++++++++++++++++--------- lib/gssapi/krb5/init_sec_context.c | 46 +++++++++++++++++++++--------- 2 files changed, 66 insertions(+), 26 deletions(-) diff --git a/lib/gssapi/init_sec_context.c b/lib/gssapi/init_sec_context.c index b4300757f..e8fe64be9 100644 --- a/lib/gssapi/init_sec_context.c +++ b/lib/gssapi/init_sec_context.c @@ -193,6 +193,7 @@ init_auth Checksum cksum; krb5_enctype enctype; krb5_data fwd_data; + OM_uint32 lifetime_rec; krb5_data_zero(&outbuf); krb5_data_zero(&fwd_data); @@ -293,7 +294,7 @@ init_auth } else this_cred.times.endtime = 0; this_cred.session.keytype = 0; - + kret = krb5_get_credentials (gssapi_krb5_context, KRB5_TC_MATCH_KEYTYPE, ccache, @@ -309,10 +310,23 @@ init_auth (*context_handle)->lifetime = cred->times.endtime; + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + &lifetime_rec); + if (ret) { + goto failure; + } + + if (lifetime_rec == 0) { + *minor_status = 0; + ret = GSS_S_CONTEXT_EXPIRED; + goto failure; + } + krb5_auth_con_setkey(gssapi_krb5_context, (*context_handle)->auth_context, &cred->session); - + kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, (*context_handle)->auth_context, &cred->session); @@ -322,13 +336,13 @@ init_auth ret = GSS_S_FAILURE; goto failure; } - + flags = 0; ap_options = 0; if (req_flags & GSS_C_DELEG_FLAG) do_delegation ((*context_handle)->auth_context, ccache, cred, target_name, &fwd_data, &flags); - + if (req_flags & GSS_C_MUTUAL_FLAG) { flags |= GSS_C_MUTUAL_FLAG; ap_options |= AP_OPTS_MUTUAL_REQUIRED; @@ -414,7 +428,7 @@ init_auth return GSS_S_CONTINUE_NEEDED; } else { if (time_rec) - *time_rec = (*context_handle)->lifetime; + *time_rec = lifetime_rec; (*context_handle)->more_flags |= OPEN; return GSS_S_COMPLETE; @@ -473,7 +487,7 @@ repl_mutual /* XXX - Handle AP_ERROR */ return ret; } - + kret = krb5_rd_rep (gssapi_krb5_context, (*context_handle)->auth_context, &indata, @@ -486,16 +500,22 @@ repl_mutual } krb5_free_ap_rep_enc_part (gssapi_krb5_context, repl); - - (*context_handle)->more_flags |= OPEN; - if (time_rec) - *time_rec = (*context_handle)->lifetime; - if (ret_flags) - *ret_flags = (*context_handle)->flags; + (*context_handle)->more_flags |= OPEN; *minor_status = 0; - return GSS_S_COMPLETE; + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + time_rec); + } else { + ret = GSS_S_COMPLETE; + } + if (ret_flags) + *ret_flags = (*context_handle)->flags; + HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); + + return ret; } /* diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c index b4300757f..e8fe64be9 100644 --- a/lib/gssapi/krb5/init_sec_context.c +++ b/lib/gssapi/krb5/init_sec_context.c @@ -193,6 +193,7 @@ init_auth Checksum cksum; krb5_enctype enctype; krb5_data fwd_data; + OM_uint32 lifetime_rec; krb5_data_zero(&outbuf); krb5_data_zero(&fwd_data); @@ -293,7 +294,7 @@ init_auth } else this_cred.times.endtime = 0; this_cred.session.keytype = 0; - + kret = krb5_get_credentials (gssapi_krb5_context, KRB5_TC_MATCH_KEYTYPE, ccache, @@ -309,10 +310,23 @@ init_auth (*context_handle)->lifetime = cred->times.endtime; + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + &lifetime_rec); + if (ret) { + goto failure; + } + + if (lifetime_rec == 0) { + *minor_status = 0; + ret = GSS_S_CONTEXT_EXPIRED; + goto failure; + } + krb5_auth_con_setkey(gssapi_krb5_context, (*context_handle)->auth_context, &cred->session); - + kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, (*context_handle)->auth_context, &cred->session); @@ -322,13 +336,13 @@ init_auth ret = GSS_S_FAILURE; goto failure; } - + flags = 0; ap_options = 0; if (req_flags & GSS_C_DELEG_FLAG) do_delegation ((*context_handle)->auth_context, ccache, cred, target_name, &fwd_data, &flags); - + if (req_flags & GSS_C_MUTUAL_FLAG) { flags |= GSS_C_MUTUAL_FLAG; ap_options |= AP_OPTS_MUTUAL_REQUIRED; @@ -414,7 +428,7 @@ init_auth return GSS_S_CONTINUE_NEEDED; } else { if (time_rec) - *time_rec = (*context_handle)->lifetime; + *time_rec = lifetime_rec; (*context_handle)->more_flags |= OPEN; return GSS_S_COMPLETE; @@ -473,7 +487,7 @@ repl_mutual /* XXX - Handle AP_ERROR */ return ret; } - + kret = krb5_rd_rep (gssapi_krb5_context, (*context_handle)->auth_context, &indata, @@ -486,16 +500,22 @@ repl_mutual } krb5_free_ap_rep_enc_part (gssapi_krb5_context, repl); - - (*context_handle)->more_flags |= OPEN; - if (time_rec) - *time_rec = (*context_handle)->lifetime; - if (ret_flags) - *ret_flags = (*context_handle)->flags; + (*context_handle)->more_flags |= OPEN; *minor_status = 0; - return GSS_S_COMPLETE; + if (time_rec) { + ret = gssapi_lifetime_left(minor_status, + (*context_handle)->lifetime, + time_rec); + } else { + ret = GSS_S_COMPLETE; + } + if (ret_flags) + *ret_flags = (*context_handle)->flags; + HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); + + return ret; } /*