projects / mech_eap.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
don't store count in exported RADIUS attrs
[mech_eap.git] / util_reauth.c
diff --git a/util_reauth.c b/util_reauth.c
index c86b206..409287e 100644 (file)
--- a/util_reauth.c
+++ b/util_reauth.c
@@ -207,7 +207,7 @@ gssEapMakeReauthCreds(OM_uint32 *minor,
     enc_part.client = ctx->initiatorName->krbPrincipal;
     enc_part.times.authtime = time(NULL);
     enc_part.times.starttime = enc_part.times.authtime;
-    enc_part.times.endtime = ctx->expiryTime
+    enc_part.times.endtime = (ctx->expiryTime != 0)
                              ? ctx->expiryTime
                              : KRB5_INT32_MAX;
     enc_part.times.renew_till = 0;
@@ -309,11 +309,11 @@ reauthUseCredsCache(krb5_context krbContext,
  * if policy allows.
  */
 static OM_uint32
-getReauthCredentials(OM_uint32 *minor,
-                     gss_cred_id_t cred,
-                     gss_name_t target,
-                     time_t now,
-                     OM_uint32 timeReq)
+getDefaultReauthCredentials(OM_uint32 *minor,
+                            gss_cred_id_t cred,
+                            gss_name_t target,
+                            time_t now,
+                            OM_uint32 timeReq)
 {
     OM_uint32 major = GSS_S_CRED_UNAVAIL;
     krb5_context krbContext = NULL;
@@ -327,7 +327,8 @@ getReauthCredentials(OM_uint32 *minor,
     assert(cred != GSS_C_NO_CREDENTIAL);
     assert(target != GSS_C_NO_NAME);
 
-    if (!reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
+    if (cred->name == GSS_C_NO_NAME ||
+        !reauthUseCredsCache(krbContext, cred->name->krbPrincipal))
         goto cleanup;
 
     match.client = cred->name->krbPrincipal;
@@ -371,24 +372,22 @@ gssEapCanReauthP(gss_cred_id_t cred,
                  gss_name_t target,
                  OM_uint32 timeReq)
 {
-    time_t now;
+    time_t now, expiryReq;
+    OM_uint32 minor;
 
-    if (cred == GSS_C_NO_CREDENTIAL)
-        return FALSE;
+    assert(cred != GSS_C_NO_CREDENTIAL);
 
     now = time(NULL);
+    expiryReq = now;
+    if (timeReq != GSS_C_INDEFINITE)
+        expiryReq += timeReq;
 
-    if (cred->krbCredCache != NULL &&
-        cred->expiryTime > time(NULL) + (timeReq ? timeReq : 0))
+    if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq)
         return TRUE;
 
-    if (cred->name != GSS_C_NO_NAME) {
-        OM_uint32 major, minor;
-
-        major = getReauthCredentials(&minor, cred, target, now, timeReq);
-
-        return !GSS_ERROR(major);
-    }
+    if (getDefaultReauthCredentials(&minor, cred, target,
+                                    now, timeReq) == GSS_S_COMPLETE)
+        return TRUE;
 
     return FALSE;
 }
@@ -447,7 +446,10 @@ gssEapStoreReauthCreds(OM_uint32 *minor,
     krb5_free_principal(krbContext, cred->name->krbPrincipal);
     cred->name->krbPrincipal = canonPrinc;
 
-    cred->expiryTime = creds[0]->times.endtime;
+    if (creds[0]->times.endtime == KRB5_INT32_MAX)
+        cred->expiryTime = 0;
+    else
+        cred->expiryTime = creds[0]->times.endtime;
 
     if (cred->krbCredCache == NULL) {
         if (reauthUseCredsCache(krbContext, creds[0]->client) &&
Moonshot GSS-API mechanism