summaryrefslogtreecommitdiffstats
path: root/src/lib/gssapi/krb5/iakerb.c
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2012-07-02 00:57:34 -0400
committerGreg Hudson <ghudson@mit.edu>2012-07-02 00:57:34 -0400
commit49ba7c90fce86581ff6faaa9ee48c80b0be9491e (patch)
treee8d2a58eb57aa54ef931dc672e9a70068f948ac7 /src/lib/gssapi/krb5/iakerb.c
parent18b02f3e839c007fff54fc9b693f479b7563ec73 (diff)
downloadkrb5-49ba7c90fce86581ff6faaa9ee48c80b0be9491e.tar.gz
krb5-49ba7c90fce86581ff6faaa9ee48c80b0be9491e.tar.xz
krb5-49ba7c90fce86581ff6faaa9ee48c80b0be9491e.zip
Get default cred only once in gss-krb5 initiator
In the regular krb5 code path, only get a default krb5 cred for the initial token, since we don't need the cred for mutual_auth anyway. In the IAKERB mechanism, cache the default cred in iakerb_ctx_id_rec so we don't have to construct it again for each token. Also, get an IAKERB default cred, not a regular krb5 cred (a bug which is harmless now, but becomes more of a problem with keytab initiation changes).
Diffstat (limited to 'src/lib/gssapi/krb5/iakerb.c')
-rw-r--r--src/lib/gssapi/krb5/iakerb.c32
1 files changed, 17 insertions, 15 deletions
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index 31fd190a5f..1b3236e664 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -40,6 +40,7 @@ enum iakerb_state {
struct _iakerb_ctx_id_rec {
krb5_magic magic; /* KG_IAKERB_CONTEXT */
krb5_context k5c;
+ gss_cred_id_t defcred; /* Initiator only */
enum iakerb_state state; /* Initiator only */
krb5_init_creds_context icc; /* Initiator only */
krb5_tkt_creds_context tcc; /* Initiator only */
@@ -65,6 +66,7 @@ iakerb_release_context(iakerb_ctx_id_t ctx)
if (ctx == NULL)
return;
+ krb5_gss_release_cred(&tmp, &ctx->defcred);
krb5_init_creds_free(ctx->k5c, ctx->icc);
krb5_tkt_creds_free(ctx->k5c, ctx->tcc);
krb5_gss_delete_sec_context(&tmp, &ctx->gssc, NULL);
@@ -710,6 +712,7 @@ iakerb_alloc_context(iakerb_ctx_id_t *pctx)
ctx = k5alloc(sizeof(*ctx), &code);
if (ctx == NULL)
goto cleanup;
+ ctx->defcred = GSS_C_NO_CREDENTIAL;
ctx->magic = KG_IAKERB_CONTEXT;
ctx->state = IAKERB_AS_REQ;
ctx->count = 0;
@@ -893,10 +896,8 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
OM_uint32 *time_rec)
{
OM_uint32 major_status = GSS_S_FAILURE;
- OM_uint32 tmpmin;
krb5_error_code code;
iakerb_ctx_id_t ctx;
- gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
krb5_gss_cred_id_t kcred;
krb5_gss_name_t kname;
krb5_boolean cred_locked = FALSE;
@@ -908,22 +909,24 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
*minor_status = code;
goto cleanup;
}
- } else
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
+ major_status = iakerb_gss_acquire_cred(minor_status, NULL,
+ GSS_C_INDEFINITE,
+ GSS_C_NULL_OID_SET,
+ GSS_C_INITIATE,
+ &ctx->defcred, NULL, NULL);
+ if (GSS_ERROR(major_status))
+ goto cleanup;
+ claimant_cred_handle = ctx->defcred;
+ }
+ } else {
ctx = (iakerb_ctx_id_t)*context_handle;
+ if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
+ claimant_cred_handle = ctx->defcred;
+ }
kname = (krb5_gss_name_t)target_name;
- if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) {
- major_status = krb5_gss_acquire_cred(minor_status, NULL,
- GSS_C_INDEFINITE,
- GSS_C_NULL_OID_SET,
- GSS_C_INITIATE,
- &defcred, NULL, NULL);
- if (GSS_ERROR(major_status))
- goto cleanup;
- claimant_cred_handle = defcred;
- }
-
major_status = kg_cred_resolve(minor_status, ctx->k5c,
claimant_cred_handle, target_name);
if (GSS_ERROR(major_status))
@@ -1011,7 +1014,6 @@ cleanup:
iakerb_release_context(ctx);
*context_handle = GSS_C_NO_CONTEXT;
}
- krb5_gss_release_cred(&tmpmin, &defcred);
return major_status;
}
generated by cgit (git 2.34.1) at 2025-09-16 05:02:27 +0000