X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=util_reauth.c;h=47be2a39b18081c7ff57f3bb561db13b95f628b7;hb=163856b1a70d7773c46d4ea5495b85c4dce0f089;hp=6a476a500b4c66c585cd7d73e183ffd76f762941;hpb=90e62e24425c3842371383bbb5ae328a804f57e8;p=mech_eap.orig

diff --git a/util_reauth.c b/util_reauth.c
index 6a476a5..47be2a3 100644
--- a/util_reauth.c
+++ b/util_reauth.c
@@ -30,6 +30,10 @@
  * SUCH DAMAGE.
  */
 
+/*
+ * Fast reauthentication support.
+ */
+
 #include "gssapiP_eap.h"
 
 #include <dlfcn.h>
@@ -181,14 +185,8 @@ gssEapMakeReauthCreds(OM_uint32 *minor,
     code = getAcceptorKey(krbContext, ctx, cred,
                           &ticket.server, &acceptorKey);
     if (code == KRB5_KT_NOTFOUND) {
-        gss_buffer_desc emptyToken = { 0, "" };
-
-        /*
-         * If we can't produce the KRB-CRED message, we need to
-         * return an empty (not NULL) token to the caller so we
-         * don't change the number of authentication legs.
-         */
-        return duplicateBuffer(minor, &emptyToken, credBuf);
+        *minor = code;
+        return GSS_S_UNAVAILABLE;
     } else if (code != 0)
         goto cleanup;
 
@@ -207,7 +205,7 @@ gssEapMakeReauthCreds(OM_uint32 *minor,
     enc_part.client = ctx->initiatorName->krbPrincipal;
     enc_part.times.authtime = time(NULL);
     enc_part.times.starttime = enc_part.times.authtime;
-    enc_part.times.endtime = ctx->expiryTime
+    enc_part.times.endtime = (ctx->expiryTime != 0)
                              ? ctx->expiryTime
                              : KRB5_INT32_MAX;
     enc_part.times.renew_till = 0;
@@ -277,7 +275,7 @@ static int
 isTicketGrantingServiceP(krb5_context krbContext,
                          krb5_const_principal principal)
 {
-    if (krb5_princ_size(krbContext, principal) == 2 &&
+    if (KRB_PRINC_LENGTH(principal) == 2 &&
         krb5_princ_component(krbContext, principal, 0)->length == 6 &&
         memcmp(krb5_princ_component(krbContext,
                                     principal, 0)->data, "krbtgt", 6) == 0)
@@ -317,7 +315,7 @@ getDefaultReauthCredentials(OM_uint32 *minor,
 {
     OM_uint32 major = GSS_S_CRED_UNAVAIL;
     krb5_context krbContext = NULL;
-    krb5_error_code code;
+    krb5_error_code code = 0;
     krb5_ccache ccache = NULL;
     krb5_creds match = { 0 };
     krb5_creds creds = { 0 };
@@ -446,7 +444,10 @@ gssEapStoreReauthCreds(OM_uint32 *minor,
     krb5_free_principal(krbContext, cred->name->krbPrincipal);
     cred->name->krbPrincipal = canonPrinc;
 
-    cred->expiryTime = creds[0]->times.endtime;
+    if (creds[0]->times.endtime == KRB5_INT32_MAX)
+        cred->expiryTime = 0;
+    else
+        cred->expiryTime = creds[0]->times.endtime;
 
     if (cred->krbCredCache == NULL) {
         if (reauthUseCredsCache(krbContext, creds[0]->client) &&
@@ -801,11 +802,20 @@ static OM_uint32
                           gss_buffer_t,
                           int *);
 
-#define NEXT_SYMBOL(local, global)  ((local) = dlsym(RTLD_NEXT, (global)))
+#define NEXT_SYMBOL(local, global)  do {        \
+        ((local) = dlsym(RTLD_NEXT, (global))); \
+        if ((local) == NULL) {                  \
+            *minor = GSSEAP_NO_MECHGLUE_SYMBOL; \
+            major = GSS_S_UNAVAILABLE;          \
+            /* but continue */                  \
+        }                                       \
+    } while (0)
 
 OM_uint32
 gssEapReauthInitialize(OM_uint32 *minor)
 {
+    OM_uint32 major = GSS_S_COMPLETE;
+
     NEXT_SYMBOL(gssInitSecContextNext,         "gss_init_sec_context");
     NEXT_SYMBOL(gssAcceptSecContextNext,       "gss_accept_sec_context");
     NEXT_SYMBOL(gssReleaseCredNext,            "gss_release_cred");
@@ -817,7 +827,7 @@ gssEapReauthInitialize(OM_uint32 *minor)
     NEXT_SYMBOL(gssStoreCredNext,              "gss_store_cred");
     NEXT_SYMBOL(gssGetNameAttributeNext,       "gss_get_name_attribute");
 
-    return GSS_S_COMPLETE;
+    return major;
 }
 
 OM_uint32
@@ -835,8 +845,10 @@ gssInitSecContext(OM_uint32 *minor,
                   OM_uint32 *ret_flags,
                   OM_uint32 *time_rec)
 {
-    if (gssInitSecContextNext == NULL)
+    if (gssInitSecContextNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssInitSecContextNext(minor, cred, context_handle,
                                  target_name, mech_type, req_flags,
@@ -858,8 +870,10 @@ gssAcceptSecContext(OM_uint32 *minor,
                     OM_uint32 *time_rec,
                     gss_cred_id_t *delegated_cred_handle)
 {
-    if (gssAcceptSecContextNext == NULL)
+    if (gssAcceptSecContextNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssAcceptSecContextNext(minor, context_handle, cred,
                                    input_token, input_chan_bindings,
@@ -871,8 +885,10 @@ OM_uint32
 gssReleaseCred(OM_uint32 *minor,
                gss_cred_id_t *cred_handle)
 {
-    if (gssReleaseCredNext == NULL)
+    if (gssReleaseCredNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssReleaseCredNext(minor, cred_handle);
 }
@@ -881,8 +897,10 @@ OM_uint32
 gssReleaseName(OM_uint32 *minor,
                gss_name_t *name)
 {
-    if (gssReleaseName == NULL)
+    if (gssReleaseName == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssReleaseNameNext(minor, name);
 }
@@ -892,8 +910,10 @@ gssDeleteSecContext(OM_uint32 *minor,
                     gss_ctx_id_t *context_handle,
                     gss_buffer_t output_token)
 {
-    if (gssDeleteSecContextNext == NULL)
+    if (gssDeleteSecContextNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssDeleteSecContextNext(minor, context_handle, output_token);
 }
@@ -904,8 +924,10 @@ gssDisplayName(OM_uint32 *minor,
                gss_buffer_t buffer,
                gss_OID *name_type)
 {
-    if (gssDisplayNameNext == NULL)
+    if (gssDisplayNameNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssDisplayNameNext(minor, name, buffer, name_type);
 }
@@ -916,8 +938,10 @@ gssImportName(OM_uint32 *minor,
               gss_OID name_type,
               gss_name_t *name)
 {
-    if (gssImportNameNext == NULL)
+    if (gssImportNameNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssImportNameNext(minor, buffer, name_type, name);
 }
@@ -928,8 +952,10 @@ gssInquireSecContextByOid(OM_uint32 *minor,
                           const gss_OID desired_object,
                           gss_buffer_set_t *data_set)
 {
-    if (gssInquireSecContextByOidNext == NULL)
+    if (gssInquireSecContextByOidNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssInquireSecContextByOidNext(minor, context_handle,
                                          desired_object, data_set);
@@ -945,8 +971,10 @@ gssStoreCred(OM_uint32 *minor,
              gss_OID_set *elements_stored,
              gss_cred_usage_t *cred_usage_stored)
 {
-    if (gssStoreCredNext == NULL)
+    if (gssStoreCredNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssStoreCredNext(minor, input_cred_handle, input_usage,
                             desired_mech, overwrite_cred, default_cred,
@@ -963,8 +991,10 @@ gssGetNameAttribute(OM_uint32 *minor,
                     gss_buffer_t display_value,
                     int *more)
 {
-    if (gssGetNameAttributeNext == NULL)
+    if (gssGetNameAttributeNext == NULL) {
+        *minor = GSSEAP_NO_MECHGLUE_SYMBOL;
         return GSS_S_UNAVAILABLE;
+    }
 
     return gssGetNameAttributeNext(minor, name, attr, authenticated, complete,
                                    value, display_value, more);