propagate SAML expiry time

[mech_eap.orig] / util_krb.c
diff --git a/util_krb.c b/util_krb.c

index dd52890..75fe0b3 100644 (file)
--- a/util_krb.c
+++ b/util_krb.c
@@ -81,7 +81,7 @@ gssEapKerberosInit(OM_uint32 *minor, krb5_context *context)
   * where random-to-key and prf are defined in RFC 3961.
   */
  OM_uint32
-gssEapDeriveRFC3961Key(OM_uint32 *minor,
+gssEapDeriveRfc3961Key(OM_uint32 *minor,
                         const unsigned char *key,
                         size_t keyLength,
                         krb5_enctype enctype,
@@ -97,9 +97,8 @@ gssEapDeriveRFC3961Key(OM_uint32 *minor,
  
      GSSEAP_KRB_INIT(&context);
  
-    kd.contents = NULL;
-    kd.length = 0;
-    KRB_KEYTYPE(&kd) = enctype;
+    KRB_KEY_INIT(&kd);
+    KRB_KEY_TYPE(&kd) = enctype;
  
      prf.data = NULL;
      prf.length = 0;
@@ -116,12 +115,12 @@ gssEapDeriveRFC3961Key(OM_uint32 *minor,
      data.length = keybytes;
      data.data = (char *)key;
  
-    kd.contents = GSSEAP_MALLOC(keylength);
-    if (kd.contents == NULL) {
+    KRB_KEY_DATA(&kd) = GSSEAP_MALLOC(keylength);
+    if (KRB_KEY_DATA(&kd) == NULL) {
          code = ENOMEM;
          goto cleanup;
      }
-    kd.length = keylength;
+    KRB_KEY_LENGTH(&kd) = keylength;
  
      /* Convert MSK into a Kerberos key */
      code = krb5_c_random_to_key(context, enctype, &data, &kd);
@@ -157,12 +156,12 @@ gssEapDeriveRFC3961Key(OM_uint32 *minor,
          goto cleanup;
  
      *pKey = kd;
-    kd.contents = NULL;
+    KRB_KEY_DATA(&kd) = NULL;
  
  cleanup:
-    if (kd.contents != NULL) {
-        memset(kd.contents, 0, kd.length);
-        GSSEAP_FREE(kd.contents);
+    if (KRB_KEY_DATA(&kd) != NULL) {
+        memset(KRB_KEY_DATA(&kd), 0, KRB_KEY_LENGTH(&kd));
+        GSSEAP_FREE(KRB_KEY_DATA(&kd));
      }
      if (prf.data != NULL) {
          memset(prf.data, 0, prf.length);
@@ -172,3 +171,49 @@ cleanup:
      *minor = code;
      return (code == 0) ? GSS_S_COMPLETE : GSS_S_FAILURE;
  }
+
+#ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
+extern krb5_error_code
+krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
+#endif
+
+OM_uint32
+rfc3961ChecksumTypeForKey(OM_uint32 *minor,
+                          krb5_keyblock *key,
+                          krb5_cksumtype *cksumtype)
+{
+    krb5_context krbContext;
+#ifndef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
+    krb5_data data;
+    krb5_checksum cksum;
+#endif
+
+    GSSEAP_KRB_INIT(&krbContext);
+
+#ifdef HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE
+    *minor = krb5int_c_mandatory_cksumtype(krbContext, KRB_KEY_TYPE(key),
+                                           cksumtype);
+    if (*minor != 0)
+        return GSS_S_FAILURE;
+#else
+    data.length = 0;
+    data.data = NULL;
+
+    memset(&cksum, 0, sizeof(cksum));
+
+    /*
+     * This is a complete hack but it's the only way to work with
+     * MIT Kerberos pre-1.9 without using private API, as it does
+     * not support passing in zero as the checksum type.
+     */
+    *minor = krb5_c_make_checksum(krbContext, 0, key, 0, &data, &cksum);
+    if (*minor != 0)
+        return GSS_S_FAILURE;
+
+    *cksumtype = cksum.checksum_type;
+
+    krb5_free_checksum_contents(krbContext, &cksum);
+#endif /* HAVE_KRB5INT_C_MANDATORY_CKSUMTYPE */
+
+    return GSS_S_COMPLETE;
+}