Merge branch 'master' into tlv-mic

Conflicts:
	mech_eap/util_saml.cpp

diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c
index 0619490..16e60fb 100644 (file)
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -121,6 +121,11 @@ acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
     if (GSS_ERROR(major))
         return major;
 
+    if (ctx->expiryTime < time(NULL)) {
+        *minor = GSSEAP_CRED_EXPIRED;
+        return GSS_S_CREDENTIALS_EXPIRED;
+    }
+
     *minor = 0;
     return GSS_S_COMPLETE;
 }

diff --git a/mech_eap/gsseap_err.et b/mech_eap/gsseap_err.et
index 8349773..6bcfff0 100644 (file)
--- a/mech_eap/gsseap_err.et
+++ b/mech_eap/gsseap_err.et
@@ -78,10 +78,10 @@ error_code GSSEAP_BAD_NAME_TOKEN,               "Name token is malformed or corr
 error_code GSSEAP_BAD_USAGE,                    "Credential usage type is unknown"
 error_code GSSEAP_CRED_USAGE_MISMATCH,          "Credential usage does not match requested usage"
 error_code GSSEAP_CRED_MECH_MISMATCH,           "Credential is not usable with this mechanism"
+error_code GSSEAP_CRED_EXPIRED,                 "Attributes indicate credentials have expired"
 error_code GSSEAP_BAD_CRED_OPTION,              "Bad credential option"
 error_code GSSEAP_NO_DEFAULT_IDENTITY,          "Default credentials identity unavailable"
 error_code GSSEAP_NO_DEFAULT_CRED,              "Missing default password or other credentials"
-
 #
 # Wrap/unwrap/PRF errors
 #

diff --git a/mech_eap/inquire_cred.c b/mech_eap/inquire_cred.c
index 243276d..2e684b7 100644 (file)
--- a/mech_eap/inquire_cred.c
+++ b/mech_eap/inquire_cred.c
@@ -45,6 +45,7 @@ gss_inquire_cred(OM_uint32 *minor,
                  gss_OID_set *mechanisms)
 {
     OM_uint32 major;
+    time_t now, lifetime;
 
     if (cred == NULL) {
         *minor = EINVAL;
@@ -59,21 +60,6 @@ gss_inquire_cred(OM_uint32 *minor,
             goto cleanup;
     }
 
-    if (pLifetime != NULL) {
-        time_t now, lifetime;
-
-        if (cred->expiryTime == 0) {
-            lifetime = GSS_C_INDEFINITE;
-        } else  {
-            now = time(NULL);
-            lifetime = now - cred->expiryTime;
-            if (lifetime < 0)
-                lifetime = 0;
-        }
-
-        *pLifetime = lifetime;
-    }
-
     if (cred_usage != NULL) {
         OM_uint32 flags = (cred->flags & (CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT));
 
@@ -99,6 +85,25 @@ gss_inquire_cred(OM_uint32 *minor,
             goto cleanup;
     }
 
+    if (cred->expiryTime == 0) {
+        lifetime = GSS_C_INDEFINITE;
+    } else  {
+        now = time(NULL);
+        lifetime = now - cred->expiryTime;
+        if (lifetime < 0)
+            lifetime = 0;
+    }
+
+    if (pLifetime != NULL) {
+        *pLifetime = lifetime;
+    }
+
+    if (lifetime == 0) {
+        major = GSS_S_CREDENTIALS_EXPIRED;
+        *minor = GSSEAP_CRED_EXPIRED;
+        goto cleanup;
+    }
+
     major = GSS_S_COMPLETE;
     *minor = 0;
 

diff --git a/mech_eap/util_saml.cpp b/mech_eap/util_saml.cpp
index 9658bf0..afce7f7 100644 (file)
--- a/mech_eap/util_saml.cpp
+++ b/mech_eap/util_saml.cpp
@@ -678,16 +678,20 @@ gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
                 ssize_t binaryLen;
 
                 value->value = GSSEAP_MALLOC(stringValueLen);
-                if (value->value == NULL)
+                if (value->value == NULL) {
+                    GSSEAP_FREE(stringValue);
                     throw new std::bad_alloc;
+                }
 
                 binaryLen = base64Decode(stringValue, value->value);
                 if (binaryLen < 0) {
                     GSSEAP_FREE(value->value);
+                    GSSEAP_FREE(stringValue);
                     value->value = NULL;
                     return false;
                 }
                 value->length = binaryLen;
+                GSSEAP_FREE(stringValue);
             } else {
                 value->value = stringValue;
                 value->length = stringValueLen;