(init_auth): if the cred is expired before we tries to create a token,
fail so the peer doesn't need reject us (*): make sure time is returned in seconds from now, not in kerberos time (repl_mutual): remember to unlock the context mutex git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12345 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
@@ -193,6 +193,7 @@ init_auth
|
||||
Checksum cksum;
|
||||
krb5_enctype enctype;
|
||||
krb5_data fwd_data;
|
||||
OM_uint32 lifetime_rec;
|
||||
|
||||
krb5_data_zero(&outbuf);
|
||||
krb5_data_zero(&fwd_data);
|
||||
@@ -293,7 +294,7 @@ init_auth
|
||||
} else
|
||||
this_cred.times.endtime = 0;
|
||||
this_cred.session.keytype = 0;
|
||||
|
||||
|
||||
kret = krb5_get_credentials (gssapi_krb5_context,
|
||||
KRB5_TC_MATCH_KEYTYPE,
|
||||
ccache,
|
||||
@@ -309,10 +310,23 @@ init_auth
|
||||
|
||||
(*context_handle)->lifetime = cred->times.endtime;
|
||||
|
||||
ret = gssapi_lifetime_left(minor_status,
|
||||
(*context_handle)->lifetime,
|
||||
&lifetime_rec);
|
||||
if (ret) {
|
||||
goto failure;
|
||||
}
|
||||
|
||||
if (lifetime_rec == 0) {
|
||||
*minor_status = 0;
|
||||
ret = GSS_S_CONTEXT_EXPIRED;
|
||||
goto failure;
|
||||
}
|
||||
|
||||
krb5_auth_con_setkey(gssapi_krb5_context,
|
||||
(*context_handle)->auth_context,
|
||||
&cred->session);
|
||||
|
||||
|
||||
kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context,
|
||||
(*context_handle)->auth_context,
|
||||
&cred->session);
|
||||
@@ -322,13 +336,13 @@ init_auth
|
||||
ret = GSS_S_FAILURE;
|
||||
goto failure;
|
||||
}
|
||||
|
||||
|
||||
flags = 0;
|
||||
ap_options = 0;
|
||||
if (req_flags & GSS_C_DELEG_FLAG)
|
||||
do_delegation ((*context_handle)->auth_context,
|
||||
ccache, cred, target_name, &fwd_data, &flags);
|
||||
|
||||
|
||||
if (req_flags & GSS_C_MUTUAL_FLAG) {
|
||||
flags |= GSS_C_MUTUAL_FLAG;
|
||||
ap_options |= AP_OPTS_MUTUAL_REQUIRED;
|
||||
@@ -414,7 +428,7 @@ init_auth
|
||||
return GSS_S_CONTINUE_NEEDED;
|
||||
} else {
|
||||
if (time_rec)
|
||||
*time_rec = (*context_handle)->lifetime;
|
||||
*time_rec = lifetime_rec;
|
||||
|
||||
(*context_handle)->more_flags |= OPEN;
|
||||
return GSS_S_COMPLETE;
|
||||
@@ -473,7 +487,7 @@ repl_mutual
|
||||
/* XXX - Handle AP_ERROR */
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
kret = krb5_rd_rep (gssapi_krb5_context,
|
||||
(*context_handle)->auth_context,
|
||||
&indata,
|
||||
@@ -486,16 +500,22 @@ repl_mutual
|
||||
}
|
||||
krb5_free_ap_rep_enc_part (gssapi_krb5_context,
|
||||
repl);
|
||||
|
||||
(*context_handle)->more_flags |= OPEN;
|
||||
|
||||
if (time_rec)
|
||||
*time_rec = (*context_handle)->lifetime;
|
||||
if (ret_flags)
|
||||
*ret_flags = (*context_handle)->flags;
|
||||
(*context_handle)->more_flags |= OPEN;
|
||||
|
||||
*minor_status = 0;
|
||||
return GSS_S_COMPLETE;
|
||||
if (time_rec) {
|
||||
ret = gssapi_lifetime_left(minor_status,
|
||||
(*context_handle)->lifetime,
|
||||
time_rec);
|
||||
} else {
|
||||
ret = GSS_S_COMPLETE;
|
||||
}
|
||||
if (ret_flags)
|
||||
*ret_flags = (*context_handle)->flags;
|
||||
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@@ -193,6 +193,7 @@ init_auth
|
||||
Checksum cksum;
|
||||
krb5_enctype enctype;
|
||||
krb5_data fwd_data;
|
||||
OM_uint32 lifetime_rec;
|
||||
|
||||
krb5_data_zero(&outbuf);
|
||||
krb5_data_zero(&fwd_data);
|
||||
@@ -293,7 +294,7 @@ init_auth
|
||||
} else
|
||||
this_cred.times.endtime = 0;
|
||||
this_cred.session.keytype = 0;
|
||||
|
||||
|
||||
kret = krb5_get_credentials (gssapi_krb5_context,
|
||||
KRB5_TC_MATCH_KEYTYPE,
|
||||
ccache,
|
||||
@@ -309,10 +310,23 @@ init_auth
|
||||
|
||||
(*context_handle)->lifetime = cred->times.endtime;
|
||||
|
||||
ret = gssapi_lifetime_left(minor_status,
|
||||
(*context_handle)->lifetime,
|
||||
&lifetime_rec);
|
||||
if (ret) {
|
||||
goto failure;
|
||||
}
|
||||
|
||||
if (lifetime_rec == 0) {
|
||||
*minor_status = 0;
|
||||
ret = GSS_S_CONTEXT_EXPIRED;
|
||||
goto failure;
|
||||
}
|
||||
|
||||
krb5_auth_con_setkey(gssapi_krb5_context,
|
||||
(*context_handle)->auth_context,
|
||||
&cred->session);
|
||||
|
||||
|
||||
kret = krb5_auth_con_generatelocalsubkey(gssapi_krb5_context,
|
||||
(*context_handle)->auth_context,
|
||||
&cred->session);
|
||||
@@ -322,13 +336,13 @@ init_auth
|
||||
ret = GSS_S_FAILURE;
|
||||
goto failure;
|
||||
}
|
||||
|
||||
|
||||
flags = 0;
|
||||
ap_options = 0;
|
||||
if (req_flags & GSS_C_DELEG_FLAG)
|
||||
do_delegation ((*context_handle)->auth_context,
|
||||
ccache, cred, target_name, &fwd_data, &flags);
|
||||
|
||||
|
||||
if (req_flags & GSS_C_MUTUAL_FLAG) {
|
||||
flags |= GSS_C_MUTUAL_FLAG;
|
||||
ap_options |= AP_OPTS_MUTUAL_REQUIRED;
|
||||
@@ -414,7 +428,7 @@ init_auth
|
||||
return GSS_S_CONTINUE_NEEDED;
|
||||
} else {
|
||||
if (time_rec)
|
||||
*time_rec = (*context_handle)->lifetime;
|
||||
*time_rec = lifetime_rec;
|
||||
|
||||
(*context_handle)->more_flags |= OPEN;
|
||||
return GSS_S_COMPLETE;
|
||||
@@ -473,7 +487,7 @@ repl_mutual
|
||||
/* XXX - Handle AP_ERROR */
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
kret = krb5_rd_rep (gssapi_krb5_context,
|
||||
(*context_handle)->auth_context,
|
||||
&indata,
|
||||
@@ -486,16 +500,22 @@ repl_mutual
|
||||
}
|
||||
krb5_free_ap_rep_enc_part (gssapi_krb5_context,
|
||||
repl);
|
||||
|
||||
(*context_handle)->more_flags |= OPEN;
|
||||
|
||||
if (time_rec)
|
||||
*time_rec = (*context_handle)->lifetime;
|
||||
if (ret_flags)
|
||||
*ret_flags = (*context_handle)->flags;
|
||||
(*context_handle)->more_flags |= OPEN;
|
||||
|
||||
*minor_status = 0;
|
||||
return GSS_S_COMPLETE;
|
||||
if (time_rec) {
|
||||
ret = gssapi_lifetime_left(minor_status,
|
||||
(*context_handle)->lifetime,
|
||||
time_rec);
|
||||
} else {
|
||||
ret = GSS_S_COMPLETE;
|
||||
}
|
||||
if (ret_flags)
|
||||
*ret_flags = (*context_handle)->flags;
|
||||
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
Reference in New Issue
Block a user