oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gss_add_cred() doesn't always output lifetime

Browse Source
This commit is contained in:
Nicolas Williams
2015-04-13 18:33:45 -05:00
parent 67af588bce
commit 9a515026b9
1 changed files with 30 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
lib/gssapi/krb5/acquire_cred.c
View File

@@ -81,11 +81,10 @@ get_keytab(krb5_context context, krb5_keytab *keytab)
} }
static OM_uint32 acquire_initiator_cred static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status, (OM_uint32 *minor_status,
krb5_context context, krb5_context context,
gss_const_OID credential_type, gss_const_OID credential_type,
const void *credential_data, const void *credential_data,
gss_const_name_t desired_name,
OM_uint32 time_req, OM_uint32 time_req,
gss_const_OID desired_mech, gss_const_OID desired_mech,
gss_cred_usage_t cred_usage, gss_cred_usage_t cred_usage,
@@ -99,6 +98,7 @@ static OM_uint32 acquire_initiator_cred
krb5_ccache ccache; krb5_ccache ccache;
krb5_keytab keytab; krb5_keytab keytab;
krb5_error_code kret; krb5_error_code kret;
int try_get_init_creds = 0;
keytab = NULL; keytab = NULL;
ccache = NULL; ccache = NULL;
@@ -119,26 +119,24 @@ static OM_uint32 acquire_initiator_cred
} }
if (handle->principal) { if (handle->principal) {
kret = krb5_cc_cache_match (context, kret = krb5_cc_cache_match(context,
handle->principal, handle->principal,
&ccache); &ccache);
if (kret == 0) { if (kret == 0) {
ret = GSS_S_COMPLETE; ret = GSS_S_COMPLETE;
goto found; goto found;
} }
} }
if (ccache == NULL) { kret = krb5_cc_default(context, &ccache);
kret = krb5_cc_default(context, &ccache); if (kret == 0)
if (kret) kret = krb5_cc_get_principal(context, ccache, &def_princ);
goto end;
}
kret = krb5_cc_get_principal(context, ccache, &def_princ);
if (kret != 0) { if (kret != 0) {
/* we'll try to use a keytab below */ /* we'll try to use a keytab below */
krb5_cc_close(context, ccache); krb5_cc_close(context, ccache);
def_princ = NULL; def_princ = NULL;
kret = 0; kret = 0;
try_get_init_creds = 1;
} else if (handle->principal == NULL) { } else if (handle->principal == NULL) {
kret = krb5_copy_principal(context, def_princ, &handle->principal); kret = krb5_copy_principal(context, def_princ, &handle->principal);
if (kret) if (kret)
@@ -146,15 +144,14 @@ static OM_uint32 acquire_initiator_cred
} else if (handle->principal != NULL && } else if (handle->principal != NULL &&
krb5_principal_compare(context, handle->principal, krb5_principal_compare(context, handle->principal,
def_princ) == FALSE) { def_princ) == FALSE) {
krb5_free_principal(context, def_princ);
def_princ = NULL;
krb5_cc_close(context, ccache); krb5_cc_close(context, ccache);
ccache = NULL; ccache = NULL;
try_get_init_creds = 1;
} }
if (def_princ == NULL) { krb5_free_principal(context, def_princ);
/* We have no existing credentials cache, def_princ = NULL;
* so attempt to get a TGT using a keytab.
*/ if (try_get_init_creds) {
if (handle->principal == NULL) { if (handle->principal == NULL) {
kret = krb5_get_default_principal(context, &handle->principal); kret = krb5_get_default_principal(context, &handle->principal);
if (kret) if (kret)
@@ -206,22 +203,20 @@ static OM_uint32 acquire_initiator_cred
krb5_cc_destroy(context, ccache); krb5_cc_destroy(context, ccache);
goto end; goto end;
} }
handle->lifetime = cred.times.endtime;
handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
} else {
ret = __gsskrb5_ccache_lifetime(minor_status,
context,
ccache,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE) {
krb5_cc_close(context, ccache);
goto end;
}
kret = 0;
} }
found:
found:
ret = __gsskrb5_ccache_lifetime(minor_status,
context,
ccache,
handle->principal,
&handle->lifetime);
if (ret != GSS_S_COMPLETE) {
krb5_cc_close(context, ccache);
goto end;
}
kret = 0;
handle->ccache = ccache; handle->ccache = ccache;
ret = GSS_S_COMPLETE; ret = GSS_S_COMPLETE;
@@ -242,7 +237,6 @@ static OM_uint32 acquire_acceptor_cred
krb5_context context, krb5_context context,
gss_const_OID credential_type, gss_const_OID credential_type,
const void *credential_data, const void *credential_data,
gss_const_name_t desired_name,
OM_uint32 time_req, OM_uint32 time_req,
gss_const_OID desired_mech, gss_const_OID desired_mech,
gss_cred_usage_t cred_usage, gss_cred_usage_t cred_usage,
@@ -395,8 +389,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, context, ret = acquire_initiator_cred(minor_status, context,
credential_type, credential_data, credential_type, credential_data,
desired_name, time_req, time_req, desired_mech, cred_usage,
desired_mech, cred_usage, handle); handle);
if (ret != GSS_S_COMPLETE) { if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal); krb5_free_principal(context, handle->principal);
@@ -407,8 +401,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, context, ret = acquire_acceptor_cred(minor_status, context,
credential_type, credential_data, credential_type, credential_data,
desired_name, time_req, time_req, desired_mech, cred_usage,
desired_mech, cred_usage, handle); handle);
if (ret != GSS_S_COMPLETE) { if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal); krb5_free_principal(context, handle->principal);