svn rev #23947: branches/iakerb/src/lib/gssapi/krb5/
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue Apr 27 05:14:58 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=23947
Commit By: ghudson
Log Message:
Make IAKERB work properly when used in conjunction with default creds
or creds acquired with gss_acquire_cred (as opposed to
gss_acquire_cred_with_password). Previously it would fall back to the
krb5 mech too early and perform a blocking TGS request.
Changed Files:
U branches/iakerb/src/lib/gssapi/krb5/acquire_cred.c
U branches/iakerb/src/lib/gssapi/krb5/gssapiP_krb5.h
U branches/iakerb/src/lib/gssapi/krb5/gssapi_krb5.c
U branches/iakerb/src/lib/gssapi/krb5/iakerb.c
Modified: branches/iakerb/src/lib/gssapi/krb5/acquire_cred.c
===================================================================
--- branches/iakerb/src/lib/gssapi/krb5/acquire_cred.c 2010-04-27 09:12:24 UTC (rev 23946)
+++ branches/iakerb/src/lib/gssapi/krb5/acquire_cred.c 2010-04-27 09:14:58 UTC (rev 23947)
@@ -529,12 +529,6 @@
goto krb_error_out;
}
- if (req_iakerb &&
- (password == GSS_C_NO_BUFFER || cred_usage == GSS_C_BOTH)) {
- code = G_BAD_USAGE;
- goto krb_error_out;
- }
-
/* verify that the requested mechanism set is the default, or
contains krb5 */
@@ -771,6 +765,25 @@
}
OM_uint32
+iakerb_gss_acquire_cred(minor_status, desired_name, time_req,
+ desired_mechs, cred_usage, output_cred_handle,
+ actual_mechs, time_rec)
+ OM_uint32 *minor_status;
+ gss_name_t desired_name;
+ OM_uint32 time_req;
+ gss_OID_set desired_mechs;
+ gss_cred_usage_t cred_usage;
+ gss_cred_id_t *output_cred_handle;
+ gss_OID_set *actual_mechs;
+ OM_uint32 *time_rec;
+{
+ return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER,
+ time_req, desired_mechs,
+ cred_usage, output_cred_handle, actual_mechs,
+ time_rec, 1);
+}
+
+OM_uint32
krb5_gss_acquire_cred_with_password(OM_uint32 *minor_status,
const gss_name_t desired_name,
const gss_buffer_t password,
Modified: branches/iakerb/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- branches/iakerb/src/lib/gssapi/krb5/gssapiP_krb5.h 2010-04-27 09:12:24 UTC (rev 23946)
+++ branches/iakerb/src/lib/gssapi/krb5/gssapiP_krb5.h 2010-04-27 09:14:58 UTC (rev 23947)
@@ -524,6 +524,18 @@
);
OM_uint32
+iakerb_gss_acquire_cred
+(OM_uint32*, /* minor_status */
+ gss_name_t, /* desired_name */
+ OM_uint32, /* time_req */
+ gss_OID_set, /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t*, /* output_cred_handle */
+ gss_OID_set*, /* actual_mechs */
+ OM_uint32* /* time_rec */
+);
+
+OM_uint32
krb5_gss_acquire_cred_with_password(
OM_uint32 *minor_status,
const gss_name_t desired_name,
Modified: branches/iakerb/src/lib/gssapi/krb5/gssapi_krb5.c
===================================================================
--- branches/iakerb/src/lib/gssapi/krb5/gssapi_krb5.c 2010-04-27 09:12:24 UTC (rev 23946)
+++ branches/iakerb/src/lib/gssapi/krb5/gssapi_krb5.c 2010-04-27 09:14:58 UTC (rev 23947)
@@ -718,6 +718,7 @@
iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
iakerb_mechanism.gss_init_sec_context = iakerb_gss_init_sec_context;
iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
+ iakerb_mechanism.gss_acquire_cred = iakerb_gss_acquire_cred;
memset(&mech_iakerb, 0, sizeof(mech_iakerb));
mech_iakerb.mech = &iakerb_mechanism;
Modified: branches/iakerb/src/lib/gssapi/krb5/iakerb.c
===================================================================
--- branches/iakerb/src/lib/gssapi/krb5/iakerb.c 2010-04-27 09:12:24 UTC (rev 23946)
+++ branches/iakerb/src/lib/gssapi/krb5/iakerb.c 2010-04-27 09:14:58 UTC (rev 23947)
@@ -680,11 +680,6 @@
krb5_creds in_creds, *out_creds = NULL;
krb5_error_code code;
- if (cred == NULL || cred->iakerb_mech == 0) {
- *state = IAKERB_AP_REQ;
- return 0;
- }
-
memset(&in_creds, 0, sizeof(in_creds));
in_creds.client = cred->name->princ;
@@ -951,8 +946,10 @@
OM_uint32 *time_rec)
{
OM_uint32 major_status = GSS_S_FAILURE;
+ OM_uint32 tmpmin;
krb5_error_code code;
iakerb_ctx_id_t ctx;
+ gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
krb5_gss_cred_id_t kcred;
krb5_gss_name_t kname;
int credLocked = 0;
@@ -984,8 +981,16 @@
credLocked = 1;
kcred = (krb5_gss_cred_id_t)claimant_cred_handle;
- } else
- kcred = NULL;
+ } else {
+ major_status = iakerb_gss_acquire_cred(minor_status, NULL,
+ GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET,
+ GSS_C_INITIATE,
+ &defcred, NULL, NULL);
+ if (GSS_ERROR(major_status))
+ goto cleanup;
+ kcred = (krb5_gss_cred_id_t)defcred;
+ }
major_status = GSS_S_FAILURE;
@@ -1034,7 +1039,7 @@
/* IAKERB is finished, or we skipped to Kerberos directly. */
major_status = krb5_gss_init_sec_context_ext(minor_status,
- claimant_cred_handle,
+ (gss_cred_id_t) kcred,
&ctx->u.gssc,
target_name,
GSS_C_NULL_OID,
@@ -1069,6 +1074,7 @@
iakerb_release_context(ctx);
*context_handle = GSS_C_NO_CONTEXT;
}
+ krb5_gss_release_cred(&tmpmin, &defcred);
return major_status;
}
More information about the cvs-krb5
mailing list