kinit: Use optimistic anon PKINIT armored FAST
Now that we can optimistically try FAST w/ anon PINIT armor, we should do so in kinit whenever it makes sense.
This commit is contained in:
Nicolas Williams
committed by
Luke Howard
Luke Howard
parent
944e12e103
commit
554f375626
@@ -34,6 +34,8 @@
|
||||
*/
|
||||
|
||||
#include "kuser_locl.h"
|
||||
#undef HC_DEPRECATED_CRYPTO
|
||||
#include <krb5_locl.h>
|
||||
|
||||
#ifdef HAVE_FRAMEWORK_SECURITY
|
||||
#include <Security/Security.h>
|
||||
@@ -78,7 +80,7 @@ int pk_enterprise_flag = 0;
|
||||
struct hx509_certs_data *ent_user_id = NULL;
|
||||
char *pk_x509_anchors = NULL;
|
||||
int pk_use_enckey = 0;
|
||||
int pk_anon_fast_armor = 0;
|
||||
int pk_anon_fast_armor = -1;
|
||||
char *gss_preauth_mech = NULL;
|
||||
char *gss_preauth_name = NULL;
|
||||
char *kdc_hostname = NULL;
|
||||
@@ -828,6 +830,8 @@ get_new_tickets(krb5_context context,
|
||||
if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
|
||||
krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
|
||||
if (pk_user_id || ent_user_id || anonymous_pkinit) {
|
||||
if (pk_anon_fast_armor == -1)
|
||||
pk_anon_fast_armor = 0;
|
||||
ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
|
||||
principal,
|
||||
pk_user_id,
|
||||
@@ -936,13 +940,22 @@ get_new_tickets(krb5_context context,
|
||||
}
|
||||
}
|
||||
|
||||
if (anonymous_flag && pk_anon_fast_armor == -1)
|
||||
pk_anon_fast_armor = 0;
|
||||
if (!gss_preauth_mech && anonymous_flag && pk_anon_fast_armor) {
|
||||
krb5_warnx(context, N_("Ignoring --pk-anon-fast-armor because "
|
||||
"--anonymous given", ""));
|
||||
pk_anon_fast_armor = 0;
|
||||
}
|
||||
|
||||
if (fast_armor_cache_string) {
|
||||
krb5_ccache fastid = NULL;
|
||||
|
||||
if (pk_anon_fast_armor)
|
||||
if (pk_anon_fast_armor > 0)
|
||||
krb5_errx(context, 1,
|
||||
N_("cannot specify FAST armor cache with FAST "
|
||||
"anonymous PKINIT option", ""));
|
||||
pk_anon_fast_armor = 0;
|
||||
|
||||
ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
|
||||
if (ret) {
|
||||
@@ -955,6 +968,12 @@ get_new_tickets(krb5_context context,
|
||||
krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache");
|
||||
goto out;
|
||||
}
|
||||
} else if (pk_anon_fast_armor == -1) {
|
||||
ret = _krb5_init_creds_set_fast_anon_pkinit_optimistic(context, ctx);
|
||||
if (ret) {
|
||||
krb5_warn(context, ret, "_krb5_init_creds_set_fast_anon_pkinit_optimistic");
|
||||
goto out;
|
||||
}
|
||||
} else if (pk_anon_fast_armor) {
|
||||
ret = krb5_init_creds_set_fast_anon_pkinit(context, ctx);
|
||||
if (ret) {
|
||||
@@ -1659,6 +1678,10 @@ main(int argc, char **argv)
|
||||
krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
|
||||
|
||||
pk_user_id = NULL;
|
||||
if (pk_anon_fast_armor > 0)
|
||||
krb5_warnx(context, N_("Ignoring --pk-anon-fast-armor "
|
||||
"because --pk-user given", ""));
|
||||
pk_anon_fast_armor = 0;
|
||||
} else if (argc && argv[0][0] == '@' &&
|
||||
(gss_preauth_mech || anonymous_flag)) {
|
||||
const char *instance;
|
||||
@@ -1673,6 +1696,11 @@ main(int argc, char **argv)
|
||||
ret = make_wellknown_name(context, &argv[0][1], instance, &principal);
|
||||
if (ret)
|
||||
krb5_err(context, 1, ret, "make_wellknown_name");
|
||||
if (!gss_preauth_mech && pk_anon_fast_armor > 1) {
|
||||
krb5_warnx(context, N_("Ignoring --pk-anon-fast-armor "
|
||||
"because --anonymous given", ""));
|
||||
pk_anon_fast_armor = 0;
|
||||
}
|
||||
} else if (anonymous_flag && historical_anon_pkinit) {
|
||||
char *realm = argc == 0 ? get_default_realm(context) :
|
||||
argv[0][0] == '@' ? &argv[0][1] : argv[0];
|
||||
|
||||
Reference in New Issue
Block a user