ensure tgt_endtime is set in cred, don't checksum IAKERB-FINISHED if we skipped straight to krb5

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/iakerb-refonly@23291 dc483132-0cff-0310-8789-dd5450dbe970
author: Luke Howard <lukeh@padl.com> 2009-11-19 16:07:43 +0000
committer: Luke Howard <lukeh@padl.com> 2009-11-19 16:07:43 +0000
commit: 6206d44783f3eed94acf59f22ed36b7ae652fb22 (patch)
tree: 46724dc2e26a8698af6a54c2847177faf21978d8
parent: aa4d846efb0948d630cff15f62780efe792f9f4a (diff)
download: krb5-6206d44783f3eed94acf59f22ed36b7ae652fb22.zip
krb5-6206d44783f3eed94acf59f22ed36b7ae652fb22.tar.gz
krb5-6206d44783f3eed94acf59f22ed36b7ae652fb22.tar.bz2
6 files changed, 61 insertions, 8 deletions
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 7dcdc4d..0164408 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -2332,6 +2332,12 @@ krb5_init_creds_store_creds
                 krb5_init_creds_context ctx,
                 krb5_ccache ccache);
 
+krb5_error_code KRB5_CALLCONV
+krb5_init_creds_get_times
+(krb5_context context,
+                krb5_init_creds_context ctx,
+                krb5_ticket_times *times);
+
 struct _krb5_tkt_creds_context;
 typedef struct _krb5_tkt_creds_context *krb5_tkt_creds_context;
 
@@ -2370,6 +2376,12 @@ krb5_tkt_creds_store_creds
         krb5_ccache);
 
 krb5_error_code KRB5_CALLCONV
+krb5_tkt_creds_get_times
+(krb5_context,
+        krb5_tkt_creds_context,
+        krb5_ticket_times *times);
+
+krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds,
                            krb5_principal client, krb5_keytab arg_keytab,
                            krb5_deltat start_time, char *in_tkt_service,
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index fecf941..1019854 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -544,6 +544,7 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx,
     OM_uint32 tmp;
     int initialContextToken = (input_token == GSS_C_NO_BUFFER);
     unsigned int flags = 0;
+    krb5_ticket_times times;
 
     output_token->length = 0;
     output_token->value = NULL;
@@ -595,6 +596,9 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx,
             if (code != 0)
                 goto cleanup;
 
+            krb5_init_creds_get_times(ctx->k5c, ctx->u.icc, &times);
+            cred->tgt_expire = times.endtime;
+
             krb5_init_creds_free(ctx->k5c, ctx->u.icc);
             ctx->u.icc = NULL;
 
@@ -624,6 +628,9 @@ iakerb_initiator_step(iakerb_ctx_id_t ctx,
             if (code != 0)
                 goto cleanup;
 
+            krb5_tkt_creds_get_times(ctx->k5c, ctx->u.tcc, &times);
+            cred->tgt_expire = times.endtime;
+
             krb5_tkt_creds_free(ctx->k5c, ctx->u.tcc);
             ctx->u.tcc = NULL;
 
@@ -825,6 +832,15 @@ iakerb_is_iakerb_token(const gss_buffer_t token)
     return (code == 0);
 }
 
+static void
+iakerb_make_exts(iakerb_ctx_id_t ctx, krb5_gss_ctx_ext_rec *exts)
+{
+    memset(exts, 0, sizeof(*exts));
+
+    if (ctx->conv.length != 0)
+        exts->iakerb.conv = &ctx->conv;
+}
+
 /*
  *
  */
@@ -885,8 +901,7 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
     } else {
         krb5_gss_ctx_ext_rec exts;
 
-        memset(&exts, 0, sizeof(exts));
-        exts.iakerb.conv = &ctx->conv;
+        iakerb_make_exts(ctx, &exts);
 
         major_status = krb5_gss_accept_sec_context_ext(&code,
                                                        &ctx->u.gssc,
@@ -997,10 +1012,6 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
     if (ctx->state == IAKERB_AP_REQ) {
         krb5_gss_ctx_ext_rec exts;
 
-        memset(&exts, 0, sizeof(exts));
-
-        exts.iakerb.conv = &ctx->conv;
-
         /* Ensure cred is marked as usable for Kerberos mechanism */
         if (kcred->iakerb_mech)
             kcred->rfc_mech = 1;
@@ -1008,6 +1019,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
         k5_mutex_unlock(&kcred->lock);
         credLocked = 0;
 
+        iakerb_make_exts(ctx, &exts);
+
         if (ctx->u.gssc == GSS_C_NO_CONTEXT)
             input_token = GSS_C_NO_BUFFER;
 
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 883cd87..b09cde5 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -309,7 +309,7 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
 
     assert(data->exts != NULL);
 
-    if (data->exts->iakerb.conv && data->exts->iakerb.conv->length) {
+    if (data->exts->iakerb.conv) {
         assert(auth_context->send_subkey != NULL);
 
         code = iakerb_make_finished(context, auth_context->send_subkey,
@@ -345,7 +345,7 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
         TWRITE_INT16(ptr, credmsg.length, 0);
         TWRITE_STR(ptr, credmsg.data, credmsg.length);
     }
-    if (data->exts->iakerb.conv && data->exts->iakerb.conv->length) {
+    if (data->exts->iakerb.conv) {
         TWRITE_INT(ptr, KRB5_GSS_EXTS_IAKERB_FINISHED, 1);
         TWRITE_INT(ptr, finished->length, 1);
         TWRITE_STR(ptr, finished->data, finished->length);
diff --git a/src/lib/krb5/krb/gc_frm_kdc_step.c b/src/lib/krb5/krb/gc_frm_kdc_step.c
index 4fc45c4..42e1828 100644
--- a/src/lib/krb5/krb/gc_frm_kdc_step.c
+++ b/src/lib/krb5/krb/gc_frm_kdc_step.c
@@ -218,6 +218,19 @@ krb5_tkt_creds_store_creds(krb5_context context,
     return code;
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_tkt_creds_get_times(krb5_context context,
+                         krb5_tkt_creds_context ctx,
+                         krb5_ticket_times *times)
+{
+    if ((ctx->flags & KRB5_TKT_CREDS_STEP_FLAG_COMPLETE) == 0)
+        return KRB5_NO_TKT_SUPPLIED;
+
+    *times = ctx->out_cred->times;
+
+    return 0;
+}
+
 void KRB5_CALLCONV
 krb5_tkt_creds_free(krb5_context context,
                     krb5_tkt_creds_context ctx)
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 226d640..a9b89d0 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1168,6 +1168,19 @@ krb5_init_creds_store_creds(krb5_context context,
 }
 
 krb5_error_code KRB5_CALLCONV
+krb5_init_creds_get_times(krb5_context context,
+                          krb5_init_creds_context ctx,
+                          krb5_ticket_times *times)
+{
+    if ((ctx->flags & KRB5_INIT_CREDS_STEP_FLAG_COMPLETE) == 0)
+        return KRB5_NO_TKT_SUPPLIED;
+
+    *times = ctx->cred.times;
+
+    return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
 krb5_init_creds_get_error(krb5_context context,
                           krb5_init_creds_context ctx,
                           krb5_error **error)
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 71f8ca5..20810b0 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -365,6 +365,7 @@ krb5_init_creds_free
 krb5_init_creds_get
 krb5_init_creds_get_creds
 krb5_init_creds_get_error
+krb5_init_creds_get_times
 krb5_init_creds_init
 krb5_init_creds_set_keytab
 krb5_init_creds_set_password
@@ -546,6 +547,7 @@ krb5_sync_disk_file
 krb5_tgtname
 krb5_tkt_creds_free
 krb5_tkt_creds_get_creds
+krb5_tkt_creds_get_times
 krb5_tkt_creds_init
 krb5_tkt_creds_step
 krb5_tkt_creds_store_creds
author	Luke Howard <lukeh@padl.com>	2009-11-19 16:07:43 +0000
committer	Luke Howard <lukeh@padl.com>	2009-11-19 16:07:43 +0000
commit	6206d44783f3eed94acf59f22ed36b7ae652fb22 (patch)
tree	46724dc2e26a8698af6a54c2847177faf21978d8
parent	aa4d846efb0948d630cff15f62780efe792f9f4a (diff)
download	krb5-6206d44783f3eed94acf59f22ed36b7ae652fb22.zip krb5-6206d44783f3eed94acf59f22ed36b7ae652fb22.tar.gz krb5-6206d44783f3eed94acf59f22ed36b7ae652fb22.tar.bz2