X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=util_reauth.c;h=47be2a39b18081c7ff57f3bb561db13b95f628b7;hb=163856b1a70d7773c46d4ea5495b85c4dce0f089;hp=c86b2068ff1d101a46e43ecaf224b57d5f204fa3;hpb=d122d22b2748ce2d88f9c6e96f94949e3c20a6b6;p=mech_eap.git diff --git a/util_reauth.c b/util_reauth.c index c86b206..47be2a3 100644 --- a/util_reauth.c +++ b/util_reauth.c @@ -30,6 +30,10 @@ * SUCH DAMAGE. */ +/* + * Fast reauthentication support. + */ + #include "gssapiP_eap.h" #include @@ -181,14 +185,8 @@ gssEapMakeReauthCreds(OM_uint32 *minor, code = getAcceptorKey(krbContext, ctx, cred, &ticket.server, &acceptorKey); if (code == KRB5_KT_NOTFOUND) { - gss_buffer_desc emptyToken = { 0, "" }; - - /* - * If we can't produce the KRB-CRED message, we need to - * return an empty (not NULL) token to the caller so we - * don't change the number of authentication legs. - */ - return duplicateBuffer(minor, &emptyToken, credBuf); + *minor = code; + return GSS_S_UNAVAILABLE; } else if (code != 0) goto cleanup; @@ -207,7 +205,7 @@ gssEapMakeReauthCreds(OM_uint32 *minor, enc_part.client = ctx->initiatorName->krbPrincipal; enc_part.times.authtime = time(NULL); enc_part.times.starttime = enc_part.times.authtime; - enc_part.times.endtime = ctx->expiryTime + enc_part.times.endtime = (ctx->expiryTime != 0) ? ctx->expiryTime : KRB5_INT32_MAX; enc_part.times.renew_till = 0; @@ -277,7 +275,7 @@ static int isTicketGrantingServiceP(krb5_context krbContext, krb5_const_principal principal) { - if (krb5_princ_size(krbContext, principal) == 2 && + if (KRB_PRINC_LENGTH(principal) == 2 && krb5_princ_component(krbContext, principal, 0)->length == 6 && memcmp(krb5_princ_component(krbContext, principal, 0)->data, "krbtgt", 6) == 0) @@ -309,15 +307,15 @@ reauthUseCredsCache(krb5_context krbContext, * if policy allows. */ static OM_uint32 -getReauthCredentials(OM_uint32 *minor, - gss_cred_id_t cred, - gss_name_t target, - time_t now, - OM_uint32 timeReq) +getDefaultReauthCredentials(OM_uint32 *minor, + gss_cred_id_t cred, + gss_name_t target, + time_t now, + OM_uint32 timeReq) { OM_uint32 major = GSS_S_CRED_UNAVAIL; krb5_context krbContext = NULL; - krb5_error_code code; + krb5_error_code code = 0; krb5_ccache ccache = NULL; krb5_creds match = { 0 }; krb5_creds creds = { 0 }; @@ -327,7 +325,8 @@ getReauthCredentials(OM_uint32 *minor, assert(cred != GSS_C_NO_CREDENTIAL); assert(target != GSS_C_NO_NAME); - if (!reauthUseCredsCache(krbContext, cred->name->krbPrincipal)) + if (cred->name == GSS_C_NO_NAME || + !reauthUseCredsCache(krbContext, cred->name->krbPrincipal)) goto cleanup; match.client = cred->name->krbPrincipal; @@ -371,24 +370,22 @@ gssEapCanReauthP(gss_cred_id_t cred, gss_name_t target, OM_uint32 timeReq) { - time_t now; + time_t now, expiryReq; + OM_uint32 minor; - if (cred == GSS_C_NO_CREDENTIAL) - return FALSE; + assert(cred != GSS_C_NO_CREDENTIAL); now = time(NULL); + expiryReq = now; + if (timeReq != GSS_C_INDEFINITE) + expiryReq += timeReq; - if (cred->krbCredCache != NULL && - cred->expiryTime > time(NULL) + (timeReq ? timeReq : 0)) + if (cred->krbCredCache != NULL && cred->expiryTime > expiryReq) return TRUE; - if (cred->name != GSS_C_NO_NAME) { - OM_uint32 major, minor; - - major = getReauthCredentials(&minor, cred, target, now, timeReq); - - return !GSS_ERROR(major); - } + if (getDefaultReauthCredentials(&minor, cred, target, + now, timeReq) == GSS_S_COMPLETE) + return TRUE; return FALSE; } @@ -447,7 +444,10 @@ gssEapStoreReauthCreds(OM_uint32 *minor, krb5_free_principal(krbContext, cred->name->krbPrincipal); cred->name->krbPrincipal = canonPrinc; - cred->expiryTime = creds[0]->times.endtime; + if (creds[0]->times.endtime == KRB5_INT32_MAX) + cred->expiryTime = 0; + else + cred->expiryTime = creds[0]->times.endtime; if (cred->krbCredCache == NULL) { if (reauthUseCredsCache(krbContext, creds[0]->client) && @@ -802,11 +802,20 @@ static OM_uint32 gss_buffer_t, int *); -#define NEXT_SYMBOL(local, global) ((local) = dlsym(RTLD_NEXT, (global))) +#define NEXT_SYMBOL(local, global) do { \ + ((local) = dlsym(RTLD_NEXT, (global))); \ + if ((local) == NULL) { \ + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; \ + major = GSS_S_UNAVAILABLE; \ + /* but continue */ \ + } \ + } while (0) OM_uint32 gssEapReauthInitialize(OM_uint32 *minor) { + OM_uint32 major = GSS_S_COMPLETE; + NEXT_SYMBOL(gssInitSecContextNext, "gss_init_sec_context"); NEXT_SYMBOL(gssAcceptSecContextNext, "gss_accept_sec_context"); NEXT_SYMBOL(gssReleaseCredNext, "gss_release_cred"); @@ -818,7 +827,7 @@ gssEapReauthInitialize(OM_uint32 *minor) NEXT_SYMBOL(gssStoreCredNext, "gss_store_cred"); NEXT_SYMBOL(gssGetNameAttributeNext, "gss_get_name_attribute"); - return GSS_S_COMPLETE; + return major; } OM_uint32 @@ -836,8 +845,10 @@ gssInitSecContext(OM_uint32 *minor, OM_uint32 *ret_flags, OM_uint32 *time_rec) { - if (gssInitSecContextNext == NULL) + if (gssInitSecContextNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssInitSecContextNext(minor, cred, context_handle, target_name, mech_type, req_flags, @@ -859,8 +870,10 @@ gssAcceptSecContext(OM_uint32 *minor, OM_uint32 *time_rec, gss_cred_id_t *delegated_cred_handle) { - if (gssAcceptSecContextNext == NULL) + if (gssAcceptSecContextNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssAcceptSecContextNext(minor, context_handle, cred, input_token, input_chan_bindings, @@ -872,8 +885,10 @@ OM_uint32 gssReleaseCred(OM_uint32 *minor, gss_cred_id_t *cred_handle) { - if (gssReleaseCredNext == NULL) + if (gssReleaseCredNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssReleaseCredNext(minor, cred_handle); } @@ -882,8 +897,10 @@ OM_uint32 gssReleaseName(OM_uint32 *minor, gss_name_t *name) { - if (gssReleaseName == NULL) + if (gssReleaseName == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssReleaseNameNext(minor, name); } @@ -893,8 +910,10 @@ gssDeleteSecContext(OM_uint32 *minor, gss_ctx_id_t *context_handle, gss_buffer_t output_token) { - if (gssDeleteSecContextNext == NULL) + if (gssDeleteSecContextNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssDeleteSecContextNext(minor, context_handle, output_token); } @@ -905,8 +924,10 @@ gssDisplayName(OM_uint32 *minor, gss_buffer_t buffer, gss_OID *name_type) { - if (gssDisplayNameNext == NULL) + if (gssDisplayNameNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssDisplayNameNext(minor, name, buffer, name_type); } @@ -917,8 +938,10 @@ gssImportName(OM_uint32 *minor, gss_OID name_type, gss_name_t *name) { - if (gssImportNameNext == NULL) + if (gssImportNameNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssImportNameNext(minor, buffer, name_type, name); } @@ -929,8 +952,10 @@ gssInquireSecContextByOid(OM_uint32 *minor, const gss_OID desired_object, gss_buffer_set_t *data_set) { - if (gssInquireSecContextByOidNext == NULL) + if (gssInquireSecContextByOidNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssInquireSecContextByOidNext(minor, context_handle, desired_object, data_set); @@ -946,8 +971,10 @@ gssStoreCred(OM_uint32 *minor, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored) { - if (gssStoreCredNext == NULL) + if (gssStoreCredNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssStoreCredNext(minor, input_cred_handle, input_usage, desired_mech, overwrite_cred, default_cred, @@ -964,8 +991,10 @@ gssGetNameAttribute(OM_uint32 *minor, gss_buffer_t display_value, int *more) { - if (gssGetNameAttributeNext == NULL) + if (gssGetNameAttributeNext == NULL) { + *minor = GSSEAP_NO_MECHGLUE_SYMBOL; return GSS_S_UNAVAILABLE; + } return gssGetNameAttributeNext(minor, name, attr, authenticated, complete, value, display_value, more);