krb5 commit [krb5-1.13]: Avoid unneeded GetMSTGT() calls in cc_mslsa.c
Tom Yu
tlyu at mit.edu
Wed May 13 17:06:03 EDT 2015
https://github.com/krb5/krb5/commit/90c0f8850ad9595866b8343a9d489cf148f41ba0
commit 90c0f8850ad9595866b8343a9d489cf148f41ba0
Author: Ben Kaduk <kaduk at mit.edu>
Date: Thu Aug 14 13:57:48 2014 -0400
Avoid unneeded GetMSTGT() calls in cc_mslsa.c
Both lcc_resolve() and lcc_get_principal() were using GetMSTGT()
to fetch a ticket from which to obtain the client principal name
of the credentials cache. However, that name is contained in
the results of the the cache information query; there is no need
to retrieve a full ticket of any sort to get it. Since there
may sometimes be difficulties obtaining a TGT when UAC is enabled,
avoid these unneeded calls.
(cherry picked from commit 76a16d2652da483dd7bc95f24257e0f195b833f0)
ticket: 7989
version_fixed: 1.13.3
status: resolved
src/lib/krb5/ccache/cc_mslsa.c | 62 ++++++++++++++++++---------------------
1 files changed, 29 insertions(+), 33 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 801d055..c775805 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -1527,9 +1527,8 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
krb5_ccache lid;
krb5_lcc_data *data;
HANDLE LogonHandle;
- ULONG PackageId;
- KERB_EXTERNAL_TICKET *msticket;
- krb5_error_code retval = KRB5_OK;
+ ULONG PackageId, i;
+ PKERB_QUERY_TKT_CACHE_EX_RESPONSE pResponse;
if (!PackageConnectLookup(&LogonHandle, &PackageId))
return KRB5_FCC_NOFILE;
@@ -1553,7 +1552,7 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
data = (krb5_lcc_data *)lid->data;
data->LogonHandle = LogonHandle;
data->PackageId = PackageId;
- data->princ = 0;
+ data->princ = NULL;
data->cc_name = (char *)malloc(strlen(residual)+1);
if (data->cc_name == NULL) {
@@ -1564,19 +1563,18 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
}
strcpy(data->cc_name, residual);
- /*
- * we must obtain a tgt from the cache in order to determine the principal
- */
- if (GetMSTGT(context, data->LogonHandle, data->PackageId, &msticket, FALSE)) {
- /* convert the ticket */
- krb5_creds creds;
- if (!MSCredToMITCred(msticket, msticket->DomainName, context, &creds))
- retval = KRB5_FCC_INTERNAL;
- LsaFreeReturnBuffer(msticket);
+ /* If there are already tickets present, grab a client principal name. */
+ if (GetQueryTktCacheResponseEx(LogonHandle, PackageId, &pResponse)) {
+ /* Take the first client principal we find; they should all be the
+ * same anyway. */
+ for (i = 0; i < pResponse->CountOfTickets; i++) {
+ if (UnicodeStringToMITPrinc(&pResponse->Tickets[0].ClientName,
+ &pResponse->Tickets[0].ClientRealm,
+ context, &data->princ))
+ break;
- if (retval == KRB5_OK)
- krb5_copy_principal(context, creds.client, &data->princ);
- krb5_free_cred_contents(context,&creds);
+ }
+ LsaFreeReturnBuffer(pResponse);
}
/*
@@ -1584,7 +1582,7 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
* if cache is non-existent/unusable
*/
*id = lid;
- return retval;
+ return KRB5_OK;
}
/*
@@ -1904,29 +1902,27 @@ krb5_lcc_get_name (krb5_context context, krb5_ccache id)
static krb5_error_code KRB5_CALLCONV
krb5_lcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ)
{
+ PKERB_QUERY_TKT_CACHE_EX_RESPONSE pResponse;
krb5_lcc_data *data = (krb5_lcc_data *)id->data;
+ ULONG i;
/* obtain principal */
if (data->princ)
return krb5_copy_principal(context, data->princ, princ);
else {
- /*
- * we must obtain a tgt from the cache in order to determine the principal
- */
- KERB_EXTERNAL_TICKET *msticket;
- if (GetMSTGT(context, data->LogonHandle, data->PackageId, &msticket, FALSE)) {
- /* convert the ticket */
- krb5_creds creds;
- if (!MSCredToMITCred(msticket, msticket->DomainName, context, &creds))
- {
- LsaFreeReturnBuffer(msticket);
- return KRB5_FCC_INTERNAL;
+ if (GetQueryTktCacheResponseEx(data->LogonHandle, data->PackageId,
+ &pResponse)) {
+ /* Take the first client principal we find; they should all be the
+ * same anyway. */
+ for (i = 0; i < pResponse->CountOfTickets; i++) {
+ if (UnicodeStringToMITPrinc(&pResponse->Tickets[0].ClientName,
+ &pResponse->Tickets[0].ClientRealm,
+ context, &data->princ))
+ break;
}
- LsaFreeReturnBuffer(msticket);
-
- krb5_copy_principal(context, creds.client, &data->princ);
- krb5_free_cred_contents(context,&creds);
- return krb5_copy_principal(context, data->princ, princ);
+ LsaFreeReturnBuffer(pResponse);
+ if (data->princ)
+ return krb5_copy_principal(context, data->princ, princ);
}
}
return KRB5_CC_NOTFOUND;
More information about the cvs-krb5
mailing list