From 9cc755a4b69ceae4461aab1799b50a8d746d5f71 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 5 Apr 2011 01:41:18 +1000
Subject: [PATCH] return GSS_S_CREDENTIALS_EXPIRED if credentials expired

---
 mech_eap/accept_sec_context.c |  5 +++++
 mech_eap/gsseap_err.et        |  2 +-
 mech_eap/inquire_cred.c       | 35 ++++++++++++++++++++---------------
 3 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c
index a0421ea..d54ea48 100644
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -121,6 +121,11 @@ acceptReadyEap(OM_uint32 *minor, gss_ctx_id_t ctx, gss_cred_id_t cred)
     if (GSS_ERROR(major))
         return major;
 
+    if (ctx->expiryTime < time(NULL)) {
+        *minor = GSSEAP_CRED_EXPIRED;
+        return GSS_S_CREDENTIALS_EXPIRED;
+    }
+
     *minor = 0;
     return GSS_S_COMPLETE;
 }
diff --git a/mech_eap/gsseap_err.et b/mech_eap/gsseap_err.et
index 8349773..6bcfff0 100644
--- a/mech_eap/gsseap_err.et
+++ b/mech_eap/gsseap_err.et
@@ -78,10 +78,10 @@ error_code GSSEAP_BAD_NAME_TOKEN,               "Name token is malformed or corr
 error_code GSSEAP_BAD_USAGE,                    "Credential usage type is unknown"
 error_code GSSEAP_CRED_USAGE_MISMATCH,          "Credential usage does not match requested usage"
 error_code GSSEAP_CRED_MECH_MISMATCH,           "Credential is not usable with this mechanism"
+error_code GSSEAP_CRED_EXPIRED,                 "Attributes indicate credentials have expired"
 error_code GSSEAP_BAD_CRED_OPTION,              "Bad credential option"
 error_code GSSEAP_NO_DEFAULT_IDENTITY,          "Default credentials identity unavailable"
 error_code GSSEAP_NO_DEFAULT_CRED,              "Missing default password or other credentials"
-
 #
 # Wrap/unwrap/PRF errors
 #
diff --git a/mech_eap/inquire_cred.c b/mech_eap/inquire_cred.c
index 243276d..2e684b7 100644
--- a/mech_eap/inquire_cred.c
+++ b/mech_eap/inquire_cred.c
@@ -45,6 +45,7 @@ gss_inquire_cred(OM_uint32 *minor,
                  gss_OID_set *mechanisms)
 {
     OM_uint32 major;
+    time_t now, lifetime;
 
     if (cred == NULL) {
         *minor = EINVAL;
@@ -59,21 +60,6 @@ gss_inquire_cred(OM_uint32 *minor,
             goto cleanup;
     }
 
-    if (pLifetime != NULL) {
-        time_t now, lifetime;
-
-        if (cred->expiryTime == 0) {
-            lifetime = GSS_C_INDEFINITE;
-        } else  {
-            now = time(NULL);
-            lifetime = now - cred->expiryTime;
-            if (lifetime < 0)
-                lifetime = 0;
-        }
-
-        *pLifetime = lifetime;
-    }
-
     if (cred_usage != NULL) {
         OM_uint32 flags = (cred->flags & (CRED_FLAG_INITIATE | CRED_FLAG_ACCEPT));
 
@@ -99,6 +85,25 @@ gss_inquire_cred(OM_uint32 *minor,
             goto cleanup;
     }
 
+    if (cred->expiryTime == 0) {
+        lifetime = GSS_C_INDEFINITE;
+    } else  {
+        now = time(NULL);
+        lifetime = now - cred->expiryTime;
+        if (lifetime < 0)
+            lifetime = 0;
+    }
+
+    if (pLifetime != NULL) {
+        *pLifetime = lifetime;
+    }
+
+    if (lifetime == 0) {
+        major = GSS_S_CREDENTIALS_EXPIRED;
+        *minor = GSSEAP_CRED_EXPIRED;
+        goto cleanup;
+    }
+
     major = GSS_S_COMPLETE;
     *minor = 0;
 
-- 
2.1.4