svn rev #23413: branches/fast-negotiate/src/ include/ include/krb5/ lib/krb5/ ...

hartmans@MIT.EDU hartmans at MIT.EDU
Wed Dec 2 11:16:22 EST 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23413
Commit By: hartmans
Log Message:
Add
krb5_get_init_creds_opt_{set_fast_flags|get_fast_flags|set_out_ccache}


Changed Files:
U   branches/fast-negotiate/src/include/k5-int.h
U   branches/fast-negotiate/src/include/krb5/krb5.hin
U   branches/fast-negotiate/src/lib/krb5/krb/gic_opt.c
U   branches/fast-negotiate/src/lib/krb5/libkrb5.exports
Modified: branches/fast-negotiate/src/include/k5-int.h
===================================================================
--- branches/fast-negotiate/src/include/k5-int.h	2009-12-02 16:16:19 UTC (rev 23412)
+++ branches/fast-negotiate/src/include/k5-int.h	2009-12-02 16:16:22 UTC (rev 23413)
@@ -1185,6 +1185,8 @@
     int num_preauth_data;
     krb5_gic_opt_pa_data *preauth_data;
     char * fast_ccache_name;
+    krb5_ccache out_ccache;
+    krb5_flags fast_flags;
 } krb5_gic_opt_private;
 
 /*

Modified: branches/fast-negotiate/src/include/krb5/krb5.hin
===================================================================
--- branches/fast-negotiate/src/include/krb5/krb5.hin	2009-12-02 16:16:19 UTC (rev 23412)
+++ branches/fast-negotiate/src/include/krb5/krb5.hin	2009-12-02 16:16:22 UTC (rev 23413)
@@ -2273,16 +2273,35 @@
 
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
+/**This API sets a ccache name that will contain some TGT on calls to
+     get_init_creds functions.  If set, this ccache will be used for FAST
+     (draft-ietf-krb-wg-preauth-framework) to protect the AS-REQ from
+     observation and active attack.  If the fast_ccache_name is set, then FAST
+     may be required by the client library.  In this and future versions, FAST
+     will be used if available; krb5_get_init_creds_opt_set_fast_flags() may be
+     used to require that the request fail is FAST is unavailable.  In MIT
+     Kerberos 1.7 setting the fast ccache at all required that FAST be present
+     or the request would fail.*/
                                              krb5_get_init_creds_opt *opt,
                                              const char *fast_ccache_name);
 
-/*   This API sets a ccache name that will contain some TGT on
-     calls to get_init_creds functions.   If set, this ccache will
-     be used for FAST (draft-ietf-krb-wg-preauth-framework) to
-     protect the AS-REQ from observation and active attack.  If
-     the fast_ccache_name is set, then FAST may be required by the
-     client library.  In this version FAST is required.*/
+/**Set a ccache where resulting credentials will be stored.  If set, then the
+ * krb5_get_init_creds family of APIs will write out credentials to the given
+ * ccache.  Setting an output ccache is desirable both because it simplifies
+ * calling code and because it permits the krb5_get_init_creds APIs to write
+ * out configuration information about the realm to the ccache.
+ */
 krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_out_ccache
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache);
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_fast_flags
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags);
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_get_fast_flags
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags);
+
+krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
                              krb5_principal client, char *password,
                              krb5_prompter_fct prompter, void *data,

Modified: branches/fast-negotiate/src/lib/krb5/krb/gic_opt.c
===================================================================
--- branches/fast-negotiate/src/lib/krb5/krb/gic_opt.c	2009-12-02 16:16:19 UTC (rev 23412)
+++ branches/fast-negotiate/src/lib/krb5/krb/gic_opt.c	2009-12-02 16:16:22 UTC (rev 23413)
@@ -149,6 +149,8 @@
         free_gic_opt_ext_preauth_data(context, opte);
     if (opte->opt_private->fast_ccache_name)
         free(opte->opt_private->fast_ccache_name);
+    if (opte->opt_private->out_ccache)
+        krb5_cc_close(context, opte->opt_private->out_ccache);
     free(opte->opt_private);
     opte->opt_private = NULL;
     return 0;
@@ -486,3 +488,56 @@
         retval = ENOMEM;
     return retval;
 }
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_out_ccache
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache)
+{
+    krb5_error_code retval = 0;
+    krb5_gic_opt_ext *opte;
+
+    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
+                                     "krb5_get_init_creds_opt_set_out_ccache");
+    if (retval)
+        return retval;
+    if (opte->opt_private->out_ccache) {
+        krb5_cc_close(context,  opte->opt_private->out_ccache);
+        opte->opt_private->out_ccache = NULL;
+    }
+    retval = krb5_cc_resolve(context, krb5_cc_get_name(context, ccache),
+                            &opte->opt_private->out_ccache);
+        return retval;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_fast_flags
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags)
+{
+    krb5_error_code retval = 0;
+    krb5_gic_opt_ext *opte;
+
+    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
+                                     "krb5_get_init_creds_opt_set_fast_flags");
+    if (retval)
+        return retval;
+    opte->opt_private->fast_flags = flags;
+        return retval;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_get_fast_flags
+(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags)
+{
+    krb5_error_code retval = 0;
+    krb5_gic_opt_ext *opte;
+    if (out_flags == NULL)
+        return EINVAL;
+    *out_flags = 0;
+    retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0,
+                                     "krb5_get_init_creds_opt_get_fast_flags");
+    if (retval)
+        return retval;
+    *out_flags = opte->opt_private->fast_flags;
+        return retval;
+}
+

Modified: branches/fast-negotiate/src/lib/krb5/libkrb5.exports
===================================================================
--- branches/fast-negotiate/src/lib/krb5/libkrb5.exports	2009-12-02 16:16:19 UTC (rev 23412)
+++ branches/fast-negotiate/src/lib/krb5/libkrb5.exports	2009-12-02 16:16:22 UTC (rev 23413)
@@ -333,6 +333,7 @@
 krb5_get_init_creds_opt_alloc
 krb5_get_init_creds_opt_free
 krb5_get_init_creds_opt_free_pa
+krb5_get_init_creds_opt_get_fast_flags
 krb5_get_init_creds_opt_get_pa
 krb5_get_init_creds_opt_init
 krb5_get_init_creds_opt_set_address_list
@@ -340,7 +341,9 @@
 krb5_get_init_creds_opt_set_change_password_prompt
 krb5_get_init_creds_opt_set_etype_list
 krb5_get_init_creds_opt_set_fast_ccache_name
+krb5_get_init_creds_opt_set_fast_flags
 krb5_get_init_creds_opt_set_forwardable
+krb5_get_init_creds_opt_set_out_ccache
 krb5_get_init_creds_opt_set_pa
 krb5_get_init_creds_opt_set_preauth_list
 krb5_get_init_creds_opt_set_proxiable

More information about the cvs-krb5 mailing list