gss_inquire_cred_by_mech() not setting lifetimes
Phil Fisher
philip_fisher at hotmail.co.uk
Thu Mar 15 13:51:50 EDT 2007
Should gss_inquire_cred_by_mech() set the initiator and acceptor lifetimes
when called with the credential GSS_C_NO_CREDENTIAL?
My reading of the description of this function in RFC2744 suggests that it
should set these to the lifetimes of the default initiator principal.
I find with the MIT implementation (krb5-1.5.2) the lifetimes are not
returned in this case.
src/lib/gssapi/krb5/inq_cred.c contains the following in
krb5_gss_inquire_cred_by_mech():
....
cred = (krb5_gss_cred_id_t) cred_handle;
mstat = krb5_gss_inquire_cred(minor_status,
cred_handle,
name,
&lifetime,
cred_usage,
(gss_OID_set *) NULL);
if (mstat == GSS_S_COMPLETE) {
if (cred &&
((cred->usage == GSS_C_INITIATE) ||
(cred->usage == GSS_C_BOTH)) &&
initiator_lifetime)
*initiator_lifetime = lifetime;
if (cred &&
((cred->usage == GSS_C_ACCEPT) ||
(cred->usage == GSS_C_BOTH)) &&
acceptor_lifetime)
*acceptor_lifetime = lifetime;
}
This means that if the cred_handle passed in is GSS_C_NO_CREDENTIAL (=NULL),
the lifetimes will not be passed to the caller.
The behaviour I expect occurs if the conditions become:
if (mstat == GSS_S_COMPLETE) {
if (((*cred_usage == GSS_C_INITIATE) ||
(*cred_usage == GSS_C_BOTH)) &&
initiator_lifetime)
*initiator_lifetime = lifetime;
if (((*cred_usage == GSS_C_ACCEPT) ||
(*cred_usage == GSS_C_BOTH)) &&
acceptor_lifetime)
*acceptor_lifetime = lifetime;
Is this correct? If so, should I post it to the krb5-bugs list?
BTW, the krb5-1.6 source has not changed in this area.
Thanks
_________________________________________________________________
Solve the Conspiracy and win fantastic prizes.
http://www.theconspiracygame.co.uk/
More information about the Kerberos
mailing list