Make gss-krb5 use cache collection

For default credentials, defer ccache resolution until we need the information. If this happens in init_sec_context when we have the target principal in hand, use krb5_cc_select() to pick a cache. If the target principal is not known, use the default cache. For credentials with a specified principal, use krb5_cc_cache_match() to find the cache. If no cache is found and a password is specified, create a new cache within the collection to hold the new credentials, if the default cache type supports a collection. ticket: 6958 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25160 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2011-09-05 16:35:40 +0000
committer: Greg Hudson <ghudson@mit.edu> 2011-09-05 16:35:40 +0000
commit: 1cd2821c19b2b95e39d5fc2f451a035585a40fa5 (patch)
tree: da78b3780a8cbf0c57977ad4504c5336b03fb49b /src/lib/gssapi/krb5/inq_cred.c
parent: 7c5926d866b1874e66ef5d05416ff024faab01ff (diff)
download: krb5-1cd2821c19b2b95e39d5fc2f451a035585a40fa5.tar.gz
krb5-1cd2821c19b2b95e39d5fc2f451a035585a40fa5.tar.xz
krb5-1cd2821c19b2b95e39d5fc2f451a035585a40fa5.zip
1 files changed, 18 insertions, 31 deletions
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index cc24e7a903..f523a545cf 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -83,14 +83,14 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     gss_OID_set *mechanisms;
 {
     krb5_context context;
-    krb5_gss_cred_id_t cred;
+    krb5_gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL, cred;
     krb5_error_code code;
     krb5_timestamp now;
     krb5_deltat lifetime;
     krb5_gss_name_t ret_name;
     krb5_principal princ;
     gss_OID_set mechs;
-    OM_uint32 ret;
+    OM_uint32 major, tmpmin, ret;
 
     ret = GSS_S_FAILURE;
     ret_name = NULL;
@@ -104,39 +104,31 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     if (name) *name = NULL;
     if (mechanisms) *mechanisms = NULL;
 
+    if ((code = krb5_timeofday(context, &now))) {
+        *minor_status = code;
+        ret = GSS_S_FAILURE;
+        goto fail;
+    }
+
     /* check for default credential */
     /*SUPPRESS 29*/
     if (cred_handle == GSS_C_NO_CREDENTIAL) {
-        OM_uint32 major;
-
-        if ((major = kg_get_defcred(minor_status, (gss_cred_id_t *)&cred)) &&
-            GSS_ERROR(major)) {
-            krb5_free_context(context);
-            return(major);
-        }
-    } else {
-        OM_uint32 major;
-
-        major = krb5_gss_validate_cred(minor_status, cred_handle);
+        major = kg_get_defcred(minor_status, &defcred);
         if (GSS_ERROR(major)) {
             krb5_free_context(context);
             return(major);
         }
-        cred = (krb5_gss_cred_id_t) cred_handle;
+        cred_handle = defcred;
     }
 
-    if ((code = krb5_timeofday(context, &now))) {
-        *minor_status = code;
-        ret = GSS_S_FAILURE;
-        goto fail;
+    major = krb5_gss_validate_cred(minor_status, cred_handle);
+    if (GSS_ERROR(major)) {
+        krb5_gss_release_cred(minor_status, &defcred);
+        krb5_free_context(context);
+        return(major);
     }
+    cred = (krb5_gss_cred_id_t)cred_handle;
 
-    code = k5_mutex_lock(&cred->lock);
-    if (code != 0) {
-        *minor_status = code;
-        ret = GSS_S_FAILURE;
-        goto fail;
-    }
     if (cred->tgt_expire > 0) {
         if ((lifetime = cred->tgt_expire - now) < 0)
             lifetime = 0;
@@ -161,7 +153,6 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
                 code = 0;
         }
         if (code) {
-            k5_mutex_unlock(&cred->lock);
             *minor_status = code;
             save_error_info(*minor_status, context);
             ret = GSS_S_FAILURE;
@@ -178,7 +169,6 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
             GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
                                                            gss_mech_krb5,
                                                            &mechs))) {
-            k5_mutex_unlock(&cred->lock);
             if (ret_name)
                 kg_release_name(context, &ret_name);
             /* *minor_status set above */
@@ -210,11 +200,8 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     *minor_status = 0;
     return((lifetime == 0)?GSS_S_CREDENTIALS_EXPIRED:GSS_S_COMPLETE);
 fail:
-    if (cred_handle == GSS_C_NO_CREDENTIAL) {
-        OM_uint32 tmp_min_stat;
-
-        krb5_gss_release_cred(&tmp_min_stat, (gss_cred_id_t *)&cred);
-    }
+    k5_mutex_unlock(&cred->lock);
+    krb5_gss_release_cred(&tmpmin, &defcred);
     krb5_free_context(context);
     return ret;
 }
author	Greg Hudson <ghudson@mit.edu>	2011-09-05 16:35:40 +0000
committer	Greg Hudson <ghudson@mit.edu>	2011-09-05 16:35:40 +0000
commit	1cd2821c19b2b95e39d5fc2f451a035585a40fa5 (patch)
tree	da78b3780a8cbf0c57977ad4504c5336b03fb49b /src/lib/gssapi/krb5/inq_cred.c
parent	7c5926d866b1874e66ef5d05416ff024faab01ff (diff)
download	krb5-1cd2821c19b2b95e39d5fc2f451a035585a40fa5.tar.gz krb5-1cd2821c19b2b95e39d5fc2f451a035585a40fa5.tar.xz krb5-1cd2821c19b2b95e39d5fc2f451a035585a40fa5.zip