svn rev #23418: branches/fast-negotiate/src/lib/krb5/krb/
hartmans@MIT.EDU
hartmans at MIT.EDU
Wed Dec 2 11:16:38 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23418
Commit By: hartmans
Log Message:
Implement upgrade to FAST when the KDC supports FAST. Implement fall
back to no negotiation when the KDC doesn't appear to support it.
In order to do this control flow for get_init_creds is changed significantly.
A comment in the diff explains the logic.
* Move preauth_request_init into loop
* move preauth gic option handling into loop
* New function krb5int_upgrade_to_fast_p
* New fast state flag: KRB5INT_FAST_ARMOR_AVAIL
Changed Files:
U branches/fast-negotiate/src/lib/krb5/krb/fast.c
U branches/fast-negotiate/src/lib/krb5/krb/fast.h
Modified: branches/fast-negotiate/src/lib/krb5/krb/fast.c
===================================================================
--- branches/fast-negotiate/src/lib/krb5/krb/fast.c 2009-12-02 16:16:35 UTC (rev 23417)
+++ branches/fast-negotiate/src/lib/krb5/krb/fast.c 2009-12-02 16:16:38 UTC (rev 23418)
@@ -144,6 +144,7 @@
krb5_clear_error_message(context);
target_realm = krb5_princ_realm(context, request->server);
if (opte->opt_private->fast_ccache_name) {
+ state->fast_state_flags |= KRB5INT_FAST_ARMOR_AVAIL;
retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name,
&ccache);
if (retval == 0)
@@ -155,11 +156,13 @@
target_principal, KRB5_CCCONF_FAST_AVAIL,
&config_data);
if ((retval == 0) && config_data.data )
- opte->opt_private->fast_flags |= KRB5_FAST_REQUIRED;
+ state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
krb5_free_data_contents(context, &config_data);
retval = 0;
}
- if (retval==0 && (opte->opt_private->fast_flags &KRB5_FAST_REQUIRED))
+ if (opte->opt_private->fast_flags& KRB5_FAST_REQUIRED)
+ state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
+ if (retval==0 && (state->fast_state_flags & KRB5INT_FAST_DO_FAST))
retval = fast_armor_ap_request(context, state, ccache,
target_principal);
if (retval != 0) {
@@ -587,3 +590,14 @@
krb5_free_checksum(context, checksum);
return retval;
}
+krb5_boolean krb5int_upgrade_to_fast_p
+(krb5_context context, struct krb5int_fast_request_state *state, krb5_pa_data **padata)
+{
+ if (! (state->fast_state_flags & KRB5INT_FAST_ARMOR_AVAIL))
+ return 0;
+ if (krb5int_find_pa_data(context, padata, KRB5_PADATA_FX_FAST) != NULL) {
+ state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
+ return 1;
+ }
+ return 0;
+}
Modified: branches/fast-negotiate/src/lib/krb5/krb/fast.h
===================================================================
--- branches/fast-negotiate/src/lib/krb5/krb/fast.h 2009-12-02 16:16:35 UTC (rev 23417)
+++ branches/fast-negotiate/src/lib/krb5/krb/fast.h 2009-12-02 16:16:38 UTC (rev 23418)
@@ -41,7 +41,10 @@
krb5_ui_4 fast_options;
krb5_int32 nonce;
};
+#define KRB5INT_FAST_DO_FAST (1l<<0) /*perform FAST*/
+#define KRB5INT_FAST_ARMOR_AVAIL (1l<<1)
+
krb5_error_code
krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state,
krb5_kdc_req *request, krb5_data **encoded_req_body);
@@ -84,7 +87,10 @@
krb5_kdc_rep *rep, krb5_data *request,
krb5_keyblock *decrypting_key, krb5_boolean *fast_avail);
+krb5_boolean krb5int_upgrade_to_fast_p
+(krb5_context context, struct krb5int_fast_request_state *state, krb5_pa_data **padata);
+
#endif
More information about the cvs-krb5
mailing list