s/kerberosCtx/reauthCtx/g

[moonshot.git] / mech_eap / accept_sec_context.c

diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c
index 5829ed9..6776047 100644 (file)
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -72,7 +72,7 @@ acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
 
     major = gssEapRadiusGetRawAvp(minor, ctx->acceptorCtx.vps,
                                   PW_USER_NAME, 0, &vp);
-    if (major == GSS_S_COMPLETE) {
+    if (major == GSS_S_COMPLETE && vp->length) {
         nameBuf.length = vp->length;
         nameBuf.value = vp->vp_strvalue;
     } else {
@@ -82,6 +82,7 @@ acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
     major = gssEapImportName(minor, &nameBuf,
                              (ctx->gssFlags & GSS_C_ANON_FLAG) ?
                                 GSS_C_NT_ANONYMOUS : GSS_C_NT_USER_NAME,
+                             ctx->mechanismUsed,
                              &ctx->initiatorName);
     if (GSS_ERROR(major))
         return major;
@@ -120,6 +121,11 @@ acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
     if (GSS_ERROR(major))
         return major;
 
+    if (ctx->expiryTime != 0 && ctx->expiryTime < time(NULL)) {
+        *minor = GSSEAP_CRED_EXPIRED;
+        return GSS_S_CREDENTIALS_EXPIRED;
+    }
+
     *minor = 0;
     return GSS_S_COMPLETE;
 }
@@ -272,7 +278,7 @@ importInitiatorIdentity(OM_uint32 *minor,
     gssEapReleaseName(&tmpMinor, &ctx->initiatorName);
 
     return gssEapImportName(minor, &nameBuf, GSS_C_NT_USER_NAME,
-                            &ctx->initiatorName);
+                            ctx->mechanismUsed, &ctx->initiatorName);
 }
 
 /*
@@ -420,7 +426,7 @@ createRadiusHandle(OM_uint32 *minor,
     assert(actx->radContext == NULL);
     assert(actx->radConn == NULL);
 
-    if (rs_context_create(&actx->radContext, RS_DICT_FILE) != 0) {
+    if (rs_context_create(&actx->radContext) != 0) {
         *minor = GSSEAP_RADSEC_CONTEXT_FAILURE;
         return GSS_S_FAILURE;
     }
@@ -442,6 +448,11 @@ createRadiusHandle(OM_uint32 *minor,
         goto fail;
     }
 
+    if (rs_context_init_freeradius_dict(actx->radContext, NULL) != 0) {
+        err = rs_err_ctx_pop(actx->radContext);
+        goto fail;
+    }
+
     if (rs_conn_create(actx->radContext, &actx->radConn, configStanza) != 0) {
         err = rs_err_conn_pop(actx->radConn);
         goto fail;
@@ -870,8 +881,14 @@ gss_accept_sec_context(OM_uint32 *minor,
         goto cleanup;
 
     if (mech_type != NULL) {
-        if (!gssEapInternalizeOid(ctx->mechanismUsed, mech_type))
-            duplicateOid(&tmpMinor, ctx->mechanismUsed, mech_type);
+        OM_uint32 tmpMajor;
+
+        tmpMajor = gssEapCanonicalizeOid(&tmpMinor, ctx->mechanismUsed, 0, mech_type);
+        if (GSS_ERROR(tmpMajor)) {
+            major = tmpMajor;
+            *minor = tmpMinor;
+            goto cleanup;
+        }
     }
     if (ret_flags != NULL)
         *ret_flags = ctx->gssFlags;
@@ -954,7 +971,7 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor,
     ctx->flags |= CTX_FLAG_KRB_REAUTH;
 
     major = gssAcceptSecContext(minor,
-                                &ctx->kerberosCtx,
+                                &ctx->reauthCtx,
                                 cred->krbCred,
                                 inputToken,
                                 chanBindings,
@@ -974,7 +991,7 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor,
     } else if (GSS_ERROR(major) &&
         (*smFlags & SM_FLAG_INPUT_TOKEN_CRITICAL) == 0) {
         /* pretend reauthentication attempt never happened */
-        gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
+        gssDeleteSecContext(&tmpMinor, &ctx->reauthCtx, GSS_C_NO_BUFFER);
         ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
         GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
         major = GSS_S_CONTINUE_NEEDED;