krb5 commit: Resolve krb5 GSS creds if time_rec is requested
Greg Hudson
ghudson at mit.edu
Wed Aug 19 11:29:03 EDT 2015
https://github.com/krb5/krb5/commit/50f426ac17a81ff5b7c212c24645b9874ea911f0
commit 50f426ac17a81ff5b7c212c24645b9874ea911f0
Author: Simo Sorce <simo at redhat.com>
Date: Mon Aug 17 13:21:42 2015 -0400
Resolve krb5 GSS creds if time_rec is requested
The code normally tries to defer credential acquisition to a later
time. However, if the application requests the lifetime, the code
needs to resolve the credential and return the actual expiration time.
Returning 0 would cause the application to think credentials are
expired.
In the mechglue, pass through null time_rec pointers to the mech so
that the mech knows whether it was requested. In SPNEGO, pass through
time_rec to the mech when acquiring creds, via a new parameter to
get_available_mechs().
[ghudson at mit.edu: minor style changes; edit and expand commit message]
ticket: 8235 (new)
src/lib/gssapi/krb5/acquire_cred.c | 9 ++++++++-
src/lib/gssapi/mechglue/g_acquire_cred.c | 14 +++++++++-----
src/lib/gssapi/spnego/spnego_mech.c | 15 ++++++++-------
3 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 5bcfec9..6e83fb9 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -825,8 +825,15 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
if (code != 0)
goto krb_error_out;
- if (time_rec)
+ if (time_rec) {
+ /* Resolve cred now to determine the expiration time. */
+ ret = kg_cred_resolve(minor_status, context, (gss_cred_id_t)cred,
+ GSS_C_NO_NAME);
+ if (GSS_ERROR(ret))
+ goto error_out;
*time_rec = (cred->expire > now) ? (cred->expire - now) : 0;
+ k5_mutex_unlock(&cred->lock);
+ }
}
*minor_status = 0;
diff --git a/src/lib/gssapi/mechglue/g_acquire_cred.c b/src/lib/gssapi/mechglue/g_acquire_cred.c
index ff250de..d29856c 100644
--- a/src/lib/gssapi/mechglue/g_acquire_cred.c
+++ b/src/lib/gssapi/mechglue/g_acquire_cred.c
@@ -190,8 +190,9 @@ OM_uint32 * time_rec;
major = gss_add_cred_from(&tmpMinor, (gss_cred_id_t)creds,
desired_name, &mechs->elements[i],
cred_usage, time_req, time_req,
- cred_store, NULL, NULL, &initTimeOut,
- &acceptTimeOut);
+ cred_store, NULL, NULL,
+ time_rec ? &initTimeOut : NULL,
+ time_rec ? &acceptTimeOut : NULL);
if (major == GSS_S_COMPLETE) {
/* update the credential's time */
if (cred_usage == GSS_C_ACCEPT) {
@@ -356,7 +357,7 @@ gss_add_cred_from(minor_status, input_cred_handle,
OM_uint32 *acceptor_time_rec;
{
OM_uint32 status, temp_minor_status;
- OM_uint32 time_req, time_rec;
+ OM_uint32 time_req, time_rec = 0, *time_recp = NULL;
gss_union_name_t union_name;
gss_union_cred_t new_union_cred, union_cred;
gss_name_t internal_name = GSS_C_NO_NAME;
@@ -447,15 +448,18 @@ gss_add_cred_from(minor_status, input_cred_handle,
if (status != GSS_S_COMPLETE)
goto errout;
+ if (initiator_time_rec != NULL || acceptor_time_rec != NULL)
+ time_recp = &time_rec;
+
if (mech->gss_acquire_cred_from) {
status = mech->gss_acquire_cred_from(minor_status, internal_name,
time_req, target_mechs,
cred_usage, cred_store, &cred,
- NULL, &time_rec);
+ NULL, time_recp);
} else if (cred_store == GSS_C_NO_CRED_STORE) {
status = mech->gss_acquire_cred(minor_status, internal_name, time_req,
target_mechs, cred_usage, &cred, NULL,
- &time_rec);
+ time_recp);
} else {
return GSS_S_UNAVAILABLE;
}
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 8ade245..f3d5f09 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -96,7 +96,8 @@ static gss_OID_set get_mech_set(OM_uint32 *, unsigned char **, unsigned int);
static OM_uint32 get_req_flags(unsigned char **, OM_uint32, OM_uint32 *);
static OM_uint32 get_available_mechs(OM_uint32 *, gss_name_t, gss_cred_usage_t,
gss_const_key_value_set_t,
- gss_cred_id_t *, gss_OID_set *);
+ gss_cred_id_t *, gss_OID_set *,
+ OM_uint32 *);
static OM_uint32 get_negotiable_mechs(OM_uint32 *, spnego_gss_cred_id_t,
gss_cred_usage_t, gss_OID_set *);
static void release_spnego_ctx(spnego_gss_ctx_id_t *);
@@ -399,7 +400,7 @@ spnego_gss_acquire_cred_from(OM_uint32 *minor_status,
*/
status = get_available_mechs(minor_status, desired_name,
cred_usage, cred_store, &mcred,
- &amechs);
+ &amechs, time_rec);
if (actual_mechs && amechs != GSS_C_NULL_OID_SET) {
(void) gssint_copy_oid_set(&tmpmin, amechs, actual_mechs);
@@ -2009,7 +2010,7 @@ spnego_gss_inquire_cred(
GSS_C_BOTH,
GSS_C_NO_CRED_STORE,
&creds,
- mechanisms);
+ mechanisms, NULL);
if (status != GSS_S_COMPLETE) {
dsyslog("Leaving inquire_cred\n");
return (status);
@@ -2637,7 +2638,7 @@ spnego_gss_acquire_cred_with_password(OM_uint32 *minor_status,
status = get_available_mechs(minor_status, desired_name,
cred_usage, GSS_C_NO_CRED_STORE,
- NULL, &amechs);
+ NULL, &amechs, NULL);
if (status != GSS_S_COMPLETE)
goto cleanup;
@@ -3006,7 +3007,7 @@ static OM_uint32
get_available_mechs(OM_uint32 *minor_status,
gss_name_t name, gss_cred_usage_t usage,
gss_const_key_value_set_t cred_store,
- gss_cred_id_t *creds, gss_OID_set *rmechs)
+ gss_cred_id_t *creds, gss_OID_set *rmechs, OM_uint32 *time_rec)
{
unsigned int i;
int found = 0;
@@ -3060,7 +3061,7 @@ get_available_mechs(OM_uint32 *minor_status,
GSS_C_INDEFINITE,
*rmechs, usage,
cred_store, creds,
- &goodmechs, NULL);
+ &goodmechs, time_rec);
/*
* Drop the old list in favor of the new
@@ -3110,7 +3111,7 @@ get_negotiable_mechs(OM_uint32 *minor_status, spnego_gss_cred_id_t spcred,
credptr = (usage == GSS_C_INITIATE) ? &creds : NULL;
ret = get_available_mechs(minor_status, GSS_C_NO_NAME, usage,
GSS_C_NO_CRED_STORE, credptr,
- rmechs);
+ rmechs, NULL);
gss_release_cred(&tmpmin, &creds);
return (ret);
}
More information about the cvs-krb5
mailing list