From 09f3f96467b584a21e0a72ef13df1e5c25e07a9e Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 29 Dec 2021 16:56:53 -0600 Subject: [PATCH] gsskrb5: Use optimistic anon PKINIT armored FAST --- lib/gssapi/krb5/acquire_cred.c | 52 +++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/lib/gssapi/krb5/acquire_cred.c b/lib/gssapi/krb5/acquire_cred.c index 6b6251606..211dcaa7f 100644 --- a/lib/gssapi/krb5/acquire_cred.c +++ b/lib/gssapi/krb5/acquire_cred.c @@ -203,7 +203,8 @@ acquire_cred_with_password(OM_uint32 *minor_status, { OM_uint32 ret = GSS_S_FAILURE; krb5_creds cred; - krb5_get_init_creds_opt *opt; + krb5_init_creds_context ctx = NULL; + krb5_get_init_creds_opt *opt = NULL; krb5_ccache ccache = NULL; krb5_error_code kret; time_t now; @@ -236,13 +237,19 @@ acquire_cred_with_password(OM_uint32 *minor_status, if (kret) goto end; } - kret = krb5_get_init_creds_opt_alloc(context, &opt); - if (kret) - goto end; - realm = krb5_principal_get_realm(context, handle->principal); - krb5_get_init_creds_opt_set_default_flags(context, "gss_krb5", realm, opt); + kret = krb5_get_init_creds_opt_alloc(context, &opt); + if (kret == 0) { + krb5_get_init_creds_opt_set_default_flags(context, "gss_krb5", realm, + opt); + kret = krb5_init_creds_init(context, handle->principal, NULL, NULL, 0, + opt, &ctx); + } + if (kret == 0) + kret = _krb5_init_creds_set_fast_anon_pkinit_optimistic(context, ctx); + if (kret == 0) + kret = krb5_init_creds_set_password(context, ctx, password); /* * Get the current time before the AS exchange so we don't @@ -256,21 +263,18 @@ acquire_cred_with_password(OM_uint32 *minor_status, */ krb5_timeofday(context, &now); - kret = krb5_get_init_creds_password(context, &cred, handle->principal, - password, NULL, NULL, 0, NULL, opt); - krb5_get_init_creds_opt_free(context, opt); - if (kret) - goto end; - - kret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache); - if (kret) - goto end; - - kret = krb5_cc_initialize(context, ccache, cred.client); - if (kret) - goto end; - - kret = krb5_cc_store_cred(context, ccache, &cred); + if (kret == 0) + kret = krb5_init_creds_get(context, ctx); + if (kret == 0) + kret = krb5_init_creds_get_creds(context, ctx, &cred); + if (kret == 0) + kret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache); + if (kret == 0) + kret = krb5_cc_initialize(context, ccache, cred.client); + if (kret == 0) + kret = krb5_init_creds_store(context, ctx, ccache); + if (kret == 0) + kret = krb5_cc_store_cred(context, ccache, &cred); if (kret) goto end; @@ -284,14 +288,16 @@ acquire_cred_with_password(OM_uint32 *minor_status, handle->ccache = ccache; ccache = NULL; ret = GSS_S_COMPLETE; - kret = 0; end: + krb5_get_init_creds_opt_free(context, opt); + if (ctx) + krb5_init_creds_free(context, ctx); if (ccache != NULL) krb5_cc_destroy(context, ccache); if (cred.client != NULL) krb5_free_cred_contents(context, &cred); - if (ret != GSS_S_COMPLETE && kret != 0) + if (ret != GSS_S_COMPLETE) *minor_status = kret; return (ret); }