svn rev #23893: branches/iakerb/src/lib/krb5/krb/

Tue Apr 13 23:13:58 EDT 2010

http://src.mit.edu/fisheye/changelog/krb5/?cs=23893
Commit By: ghudson
Log Message:
Move the cache check from krb5_get_credentials() into the
krb5_tkt_creds functions.



Changed Files:
U   branches/iakerb/src/lib/krb5/krb/gc_frm_kdc.c
U   branches/iakerb/src/lib/krb5/krb/get_creds.c
Modified: branches/iakerb/src/lib/krb5/krb/gc_frm_kdc.c
===================================================================

--- branches/iakerb/src/lib/krb5/krb/gc_frm_kdc.c	2010-04-14 02:44:34 UTC (rev 23892)
+++ branches/iakerb/src/lib/krb5/krb/gc_frm_kdc.c	2010-04-14 03:13:58 UTC (rev 23893)
@@ -870,11 +870,58 @@
 
 /***** STATE_BEGIN *****/
 
+/*
+ * Look for the desired credentials in the cache, if possible.  If we find
+ * them, put them in ctx->reply_creds and advance the state to STATE_COMPLETE.
+ * Return successfully even if creds are not found, unless the caller only
+ * wanted cached creds.
+ */
 static krb5_error_code
+check_cache(krb5_context context, krb5_tkt_creds_context ctx)
+{
+    krb5_error_code code;
+    krb5_creds mcreds;
+    krb5_flags fields;
+
+    /* For constrained delegation, the expected result is in second_ticket, so
+     * we can't really do a cache check here. */
+    if (ctx->req_options & KRB5_GC_CONSTRAINED_DELEGATION)
+        return (ctx->req_options & KRB5_GC_CACHED) ? KRB5_CC_NOTFOUND : 0;
+
+    /* Perform the cache lookup. */
+    code = krb5int_construct_matching_creds(context, ctx->req_options,
+                                            ctx->in_creds, &mcreds, &fields);
+    if (code)
+        return code;
+    code = cache_get(context, ctx->ccache, fields, &mcreds, &ctx->reply_creds);
+    if (code == 0) {
+        ctx->state = STATE_COMPLETE;
+        return 0;
+    }
+
+    /* Stop on unexpected cache errors. */
+    if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE)
+        return code;
+
+    /* Stop if the caller only wanted cached creds. */
+    if (ctx->req_options & KRB5_GC_CACHED)
+        return code;
+
+    /* Remember whether the cache lookup failed due to enctypes or not. */
+    ctx->cache_code = code;
+    return 0;
+}
+
+/* Decide where to begin the acquisition process. */
+static krb5_error_code
 begin(krb5_context context, krb5_tkt_creds_context ctx)
 {
     krb5_error_code code;
 
+    code = check_cache(context, ctx);
+    if (code != 0 || ctx->state == STATE_COMPLETE)
+        return code;
+
     /* If the server realm is unspecified, start with the client realm. */
     if (krb5_is_referral_realm(&ctx->server->realm)) {
         krb5_free_data_contents(context, &ctx->server->realm);

Modified: branches/iakerb/src/lib/krb5/krb/get_creds.c
===================================================================
--- branches/iakerb/src/lib/krb5/krb/get_creds.c	2010-04-14 02:44:34 UTC (rev 23892)
+++ branches/iakerb/src/lib/krb5/krb/get_creds.c	2010-04-14 03:13:58 UTC (rev 23893)
@@ -138,9 +138,7 @@
                      krb5_creds **out_creds)
 {
     krb5_error_code retval;
-    krb5_creds mcreds, *ncreds = NULL;
-    krb5_flags fields;
-    krb5_boolean not_ktype = FALSE;
+    krb5_creds *ncreds = NULL;
 
     *out_creds = NULL;
 
@@ -148,34 +146,7 @@
     if (ncreds == NULL)
         goto cleanup;
 
-    /*
-     * See if we already have the ticket cached. To do this usefully
-     * for constrained delegation, we would need to look inside
-     * second_ticket, which we can't do.
-     */
-    if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) {
-        retval = krb5int_construct_matching_creds(context, options, in_creds,
-                                                  &mcreds, &fields);
-
-        if (retval)
-            goto cleanup;
-
-        retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds,
-                                       ncreds);
-        if (retval == 0) {
-            *out_creds = ncreds;
-            return 0;
-        }
-        if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE)
-            || options & KRB5_GC_CACHED)
-            goto cleanup;
-        not_ktype = (retval == KRB5_CC_NOT_KTYPE);
-    } else if (options & KRB5_GC_CACHED) {
-        retval = KRB5_CC_NOTFOUND;
-        goto cleanup;
-    }
-
-    /* Get the credential from the KDC. */
+    /* Get the credential. */
     retval = get_tkt_creds(context, ccache, in_creds, options, ncreds);
     if (retval != 0)
         goto cleanup;
@@ -191,18 +162,6 @@
         goto cleanup;
     }
 
-    /*
-     * Translate KRB5_CC_NOTFOUND if we previously got KRB5_CC_NOT_KTYPE from
-     * krb5_cc_retrieve_cred(), in order to handle the case where there is no
-     * TGT in the ccache and the input enctype didn't match.  This handling is
-     * necessary because some callers, such as GSSAPI, iterate through enctypes
-     * and KRB5_CC_NOTFOUND passed through from get_tkt_creds() is semantically
-     * incorrect, since the actual failure was the non-existence of a ticket of
-     * the correct enctype rather than the missing TGT.
-     */
-    if (retval == KRB5_CC_NOTFOUND && not_ktype)
-        retval = KRB5_CC_NOT_KTYPE;
-
     *out_creds = ncreds;
     ncreds = NULL;
 


