(init_auth): if the cred is expired before we tries to create a token,

fail so the peer doesn't need reject us (*): make sure time is returned in seconds from now, not in kerberos time (repl_mutual): remember to unlock the context mutex git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12345 ec53bebd-3082-4978-b11e-865c3cabbd6b
2003-06-03 15:22:58 +00:00
parent a2408d7675
commit f6870509a7
2 changed files with 66 additions and 26 deletions
--- a/lib/gssapi/init_sec_context.c
+++ b/lib/gssapi/init_sec_context.c
@@ -193,6 +193,7 @@ init_auth
    Checksum cksum;
    krb5_enctype enctype;
    krb5_data fwd_data;
    OM_uint32 lifetime_rec;
    krb5_data_zero(&outbuf);
    krb5_data_zero(&fwd_data);
@@ -293,7 +294,7 @@ init_auth
    } else
 	this_cred.times.endtime   = 0;
    this_cred.session.keytype = 0;
-  
+
    kret = krb5_get_credentials (gssapi_krb5_context,
 				 KRB5_TC_MATCH_KEYTYPE,
 				 ccache,
@@ -309,10 +310,23 @@ init_auth
    (*context_handle)->lifetime = cred->times.endtime;
    ret = gssapi_lifetime_left(minor_status,
 			       (*context_handle)->lifetime,
 			       &lifetime_rec);
    if (ret) {
 	goto failure;
    }
    if (lifetime_rec == 0) {
 	*minor_status = 0;
 	ret = GSS_S_CONTEXT_EXPIRED;
 	goto failure;
    }
    krb5_auth_con_setkey(gssapi_krb5_context, 
 			 (*context_handle)->auth_context, 
 			 &cred->session);
-  
+
    kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, 
 					     (*context_handle)->auth_context,
 					     &cred->session);
@@ -322,13 +336,13 @@ init_auth
 	ret = GSS_S_FAILURE;
 	goto failure;
    }
-
+    
    flags = 0;
    ap_options = 0;
    if (req_flags & GSS_C_DELEG_FLAG)
 	do_delegation ((*context_handle)->auth_context,
 		       ccache, cred, target_name, &fwd_data, &flags);
-       
+    
    if (req_flags & GSS_C_MUTUAL_FLAG) {
 	flags |= GSS_C_MUTUAL_FLAG;
 	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
@@ -414,7 +428,7 @@ init_auth
 	return GSS_S_CONTINUE_NEEDED;
    } else {
 	if (time_rec)
-	    *time_rec = (*context_handle)->lifetime;
+	    *time_rec = lifetime_rec;
 	(*context_handle)->more_flags |= OPEN;
 	return GSS_S_COMPLETE;
@@ -473,7 +487,7 @@ repl_mutual
 	/* XXX - Handle AP_ERROR */
 	return ret;
    }
-
+    
    kret = krb5_rd_rep (gssapi_krb5_context,
 			(*context_handle)->auth_context,
 			&indata,
@@ -486,16 +500,22 @@ repl_mutual
    }
    krb5_free_ap_rep_enc_part (gssapi_krb5_context,
 			       repl);
    (*context_handle)->more_flags |= OPEN;
-    if (time_rec)
+    (*context_handle)->more_flags |= OPEN;
 	*time_rec = (*context_handle)->lifetime;
    if (ret_flags)
 	*ret_flags = (*context_handle)->flags;
    *minor_status = 0;
-    return GSS_S_COMPLETE;
+    if (time_rec) {
 	ret = gssapi_lifetime_left(minor_status,
 				   (*context_handle)->lifetime,
 				   time_rec);
    } else {
 	ret = GSS_S_COMPLETE;
    }
    if (ret_flags)
 	*ret_flags = (*context_handle)->flags;
    HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
    return ret;
 }
 /*
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -193,6 +193,7 @@ init_auth
    Checksum cksum;
    krb5_enctype enctype;
    krb5_data fwd_data;
    OM_uint32 lifetime_rec;
    krb5_data_zero(&outbuf);
    krb5_data_zero(&fwd_data);
@@ -293,7 +294,7 @@ init_auth
    } else
 	this_cred.times.endtime   = 0;
    this_cred.session.keytype = 0;
-  
+
    kret = krb5_get_credentials (gssapi_krb5_context,
 				 KRB5_TC_MATCH_KEYTYPE,
 				 ccache,
@@ -309,10 +310,23 @@ init_auth
    (*context_handle)->lifetime = cred->times.endtime;
    ret = gssapi_lifetime_left(minor_status,
 			       (*context_handle)->lifetime,
 			       &lifetime_rec);
    if (ret) {
 	goto failure;
    }
    if (lifetime_rec == 0) {
 	*minor_status = 0;
 	ret = GSS_S_CONTEXT_EXPIRED;
 	goto failure;
    }
    krb5_auth_con_setkey(gssapi_krb5_context, 
 			 (*context_handle)->auth_context, 
 			 &cred->session);
-  
+
    kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context, 
 					     (*context_handle)->auth_context,
 					     &cred->session);
@@ -322,13 +336,13 @@ init_auth
 	ret = GSS_S_FAILURE;
 	goto failure;
    }
-
+    
    flags = 0;
    ap_options = 0;
    if (req_flags & GSS_C_DELEG_FLAG)
 	do_delegation ((*context_handle)->auth_context,
 		       ccache, cred, target_name, &fwd_data, &flags);
-       
+    
    if (req_flags & GSS_C_MUTUAL_FLAG) {
 	flags |= GSS_C_MUTUAL_FLAG;
 	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
@@ -414,7 +428,7 @@ init_auth
 	return GSS_S_CONTINUE_NEEDED;
    } else {
 	if (time_rec)
-	    *time_rec = (*context_handle)->lifetime;
+	    *time_rec = lifetime_rec;
 	(*context_handle)->more_flags |= OPEN;
 	return GSS_S_COMPLETE;
@@ -473,7 +487,7 @@ repl_mutual
 	/* XXX - Handle AP_ERROR */
 	return ret;
    }
-
+    
    kret = krb5_rd_rep (gssapi_krb5_context,
 			(*context_handle)->auth_context,
 			&indata,
@@ -486,16 +500,22 @@ repl_mutual
    }
    krb5_free_ap_rep_enc_part (gssapi_krb5_context,
 			       repl);
    (*context_handle)->more_flags |= OPEN;
-    if (time_rec)
+    (*context_handle)->more_flags |= OPEN;
 	*time_rec = (*context_handle)->lifetime;
    if (ret_flags)
 	*ret_flags = (*context_handle)->flags;
    *minor_status = 0;
-    return GSS_S_COMPLETE;
+    if (time_rec) {
 	ret = gssapi_lifetime_left(minor_status,
 				   (*context_handle)->lifetime,
 				   time_rec);
    } else {
 	ret = GSS_S_COMPLETE;
    }
    if (ret_flags)
 	*ret_flags = (*context_handle)->flags;
    HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
    return ret;
 }
 /*