svn rev #23948: branches/iakerb/src/lib/gssapi/krb5/
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue Apr 27 05:36:28 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=23948
Commit By: ghudson
Log Message:
If IAKERB is used with no TGT, return KRB5_CC_NOTFOUND instead of
going fruitlessly into the AS code path and returning EINVAL. Also
better handle the case where service credentials exist but are of an
unsupported enctype. Make a note that we aren't as consistent as we
would like to be in the case where the TGT exists but has expired.
Changed Files:
U branches/iakerb/src/lib/gssapi/krb5/iakerb.c
Modified: branches/iakerb/src/lib/gssapi/krb5/iakerb.c
===================================================================
--- branches/iakerb/src/lib/gssapi/krb5/iakerb.c 2010-04-27 09:14:58 UTC (rev 23947)
+++ branches/iakerb/src/lib/gssapi/krb5/iakerb.c 2010-04-27 09:36:28 UTC (rev 23948)
@@ -707,7 +707,7 @@
code = krb5_get_credentials(ctx->k5c, KRB5_GC_CACHED,
cred->ccache,
&in_creds, &out_creds);
- if (code == KRB5_CC_NOTFOUND) {
+ if (code == KRB5_CC_NOTFOUND || code == KRB5_CC_NOT_KTYPE) {
krb5_principal tgs;
krb5_data *realm = krb5_princ_realm(ctx->k5c, in_creds.client);
@@ -726,10 +726,14 @@
in_creds.server = tgs;
+ /* It would be nice if we could return KRB5KRB_AP_ERR_TKT_EXPIRED if
+ * the TGT is expired, for consistency with the krb5 mech. As it
+ * stands, we won't see the expired TGT and will return
+ * KRB5_CC_NOTFOUND. */
code = krb5_get_credentials(ctx->k5c, KRB5_GC_CACHED,
cred->ccache,
&in_creds, &out_creds);
- if (code == KRB5_CC_NOTFOUND) {
+ if (code == KRB5_CC_NOTFOUND && cred->password.data != NULL) {
*state = IAKERB_AS_REQ;
code = 0;
} else if (code == 0) {
More information about the cvs-krb5
mailing list