enc_part.client = ctx->initiatorName->krbPrincipal;
enc_part.times.authtime = time(NULL);
enc_part.times.starttime = enc_part.times.authtime;
- enc_part.times.endtime = ctx->expiryTime
+ enc_part.times.endtime = (ctx->expiryTime != 0)
? ctx->expiryTime
: KRB5_INT32_MAX;
enc_part.times.renew_till = 0;
return FALSE;
}
+/*
+ * Returns TRUE if the configuration variable reauth_use_ccache is
+ * set in krb5.conf for the eap_gss application and the client realm.
+ */
static int
reauthUseCredsCache(krb5_context krbContext,
krb5_principal principal)
return reauthUseCCache;
}
+/*
+ * Look in default credentials cache for reauthentication credentials,
+ * if policy allows.
+ */
static OM_uint32
-getReauthCredentials(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_name_t target,
- time_t now,
- OM_uint32 timeReq)
+getDefaultReauthCredentials(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_name_t target,
+ time_t now,
+ OM_uint32 timeReq)
{
OM_uint32 major = GSS_S_CRED_UNAVAIL;
krb5_context krbContext = NULL;
assert(cred != GSS_C_NO_CREDENTIAL);
assert(target != GSS_C_NO_NAME);
- if (!reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
+ if (cred->name == GSS_C_NO_NAME ||
+ !reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
goto cleanup;
match.client = cred->name->krbPrincipal;
return major;
}
+/*
+ * Returns TRUE if the credential handle's reauth credentials are
+ * valid or if we can use the default credentials cache. Credentials
+ * handle must be locked.
+ */
int
gssEapCanReauthP(gss_cred_id_t cred,
gss_name_t target,
OM_uint32 timeReq)
{
- time_t now;
+ time_t now, expiryReq;
+ OM_uint32 minor;
- if (cred == GSS_C_NO_CREDENTIAL)
- return FALSE;
+ assert(cred != GSS_C_NO_CREDENTIAL);
now = time(NULL);
+ expiryReq = now;
+ if (timeReq != GSS_C_INDEFINITE)
+ expiryReq += timeReq;
- if (cred->krbCredCache != NULL &&
- cred->expiryTime > time(NULL) + (timeReq ? timeReq : 0))
+ if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq)
return TRUE;
- if (cred->name != GSS_C_NO_NAME) {
- OM_uint32 major, minor;
-
- major = getReauthCredentials(&minor, cred, target, now, timeReq);
-
- return !GSS_ERROR(major);
- }
+ if (getDefaultReauthCredentials(&minor, cred, target,
+ now, timeReq) == GSS_S_COMPLETE)
+ return TRUE;
return FALSE;
}
/*
* Store re-authentication (Kerberos) credentials in a credential handle.
+ * Credentials handle must be locked.
*/
OM_uint32
gssEapStoreReauthCreds(OM_uint32 *minor,
krb5_free_principal(krbContext, cred->name->krbPrincipal);
cred->name->krbPrincipal = canonPrinc;
- cred->expiryTime = creds[0]->times.endtime;
+ if (creds[0]->times.endtime == KRB5_INT32_MAX)
+ cred->expiryTime = 0;
+ else
+ cred->expiryTime = creds[0]->times.endtime;
if (cred->krbCredCache == NULL) {
if (reauthUseCredsCache(krbContext, creds[0]->client) &&