Skip to content
This repository
Browse code

recover reauth if initiator sent host ticket and we don't accept it

  • Loading branch information...
commit 98bb8497942cb9eb2b5518af957094f7d0d54306 1 parent 46fbf8d
Luke Howard authored March 30, 2013

Showing 1 changed file with 15 additions and 2 deletions. Show diff stats Hide diff stats

  1. 17  mech_browserid/accept_sec_context.c
17  mech_browserid/accept_sec_context.c
@@ -191,8 +191,21 @@ gssBidAcceptSecContext(OM_uint32 *minor,
191 191
                                  &ulBidFlags);
192 192
          major = gssBidMapError(minor, err);
193 193
          if (ulBidFlags & BID_VERIFY_FLAG_REAUTH) {
194  
-            /* recoverable errors */
195  
-            if (err == BID_S_INVALID_ASSERTION || err == BID_S_EXPIRED_ASSERTION) {
  194
+            uint32_t ulContextOptions = 0;
  195
+
  196
+            BIDGetContextParam(ctx->bidContext, BID_PARAM_CONTEXT_OPTIONS, (void **)&ulContextOptions);
  197
+
  198
+            /*
  199
+             * The following errors are recoverable and the initiator should send a
  200
+             * fresh, certificate-signed assertion:
  201
+             *
  202
+             * - The assertion was not found in the replay cache
  203
+             * - The assertion has expired
  204
+             * - The initiator assumed it could send a ticket for the host SPN
  205
+             *   but the acceptor does not have HOST_SPN_ALIAS set
  206
+             */
  207
+            if (err == BID_S_INVALID_ASSERTION || err == BID_S_EXPIRED_ASSERTION ||
  208
+                ((ulContextOptions & BID_CONTEXT_HOST_SPN_ALIAS) == 0 && err == BID_S_BAD_AUDIENCE)) {
196 209
                 major = GSS_S_CONTINUE_NEEDED;
197 210
                 *minor = GSSBID_REAUTH_FAILED;
198 211
             } else

0 notes on commit 98bb849

Please sign in to comment.
Something went wrong with that request. Please try again.