gss_inquire_cred_by_mech() not setting lifetimes

Phil Fisher philip_fisher at hotmail.co.uk
Thu Mar 15 13:51:50 EDT 2007


Should gss_inquire_cred_by_mech() set the initiator and acceptor lifetimes 
when called with the credential GSS_C_NO_CREDENTIAL?

My reading of the description of this function in RFC2744 suggests that it 
should set these to the lifetimes of the default initiator principal.

I find with the MIT implementation (krb5-1.5.2) the lifetimes are not 
returned in this case.

src/lib/gssapi/krb5/inq_cred.c contains  the following in 
krb5_gss_inquire_cred_by_mech():
....
    cred = (krb5_gss_cred_id_t) cred_handle;
    mstat = krb5_gss_inquire_cred(minor_status,
                                  cred_handle,
                                  name,
                                  &lifetime,
                                  cred_usage,
                                  (gss_OID_set *) NULL);
    if (mstat == GSS_S_COMPLETE) {
        if (cred &&
            ((cred->usage == GSS_C_INITIATE) ||
             (cred->usage == GSS_C_BOTH)) &&
            initiator_lifetime)
            *initiator_lifetime = lifetime;
        if (cred &&
            ((cred->usage == GSS_C_ACCEPT) ||
             (cred->usage == GSS_C_BOTH)) &&
            acceptor_lifetime)
            *acceptor_lifetime = lifetime;
    }

This means that if the cred_handle passed in is GSS_C_NO_CREDENTIAL (=NULL), 
the lifetimes will not be passed to the caller.

The behaviour I expect occurs if the conditions become:

   if (mstat == GSS_S_COMPLETE) {
        if (((*cred_usage == GSS_C_INITIATE) ||
             (*cred_usage == GSS_C_BOTH)) &&
            initiator_lifetime)
            *initiator_lifetime = lifetime;
        if (((*cred_usage == GSS_C_ACCEPT) ||
             (*cred_usage == GSS_C_BOTH)) &&
            acceptor_lifetime)
            *acceptor_lifetime = lifetime;

Is this correct? If so, should I post it to the krb5-bugs list?

BTW, the krb5-1.6 source has not changed in this area.

Thanks

_________________________________________________________________
Solve the Conspiracy and win fantastic prizes.  
http://www.theconspiracygame.co.uk/




More information about the Kerberos mailing list