summaryrefslogtreecommitdiffstats
path: root/src/lib/gssapi
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/gssapi')
-rw-r--r--src/lib/gssapi/krb5/ChangeLog10
-rw-r--r--src/lib/gssapi/krb5/Makefile.in3
-rw-r--r--src/lib/gssapi/krb5/accept_sec_context.c9
-rw-r--r--src/lib/gssapi/krb5/gssapiP_krb5.h5
-rw-r--r--src/lib/gssapi/krb5/init_sec_context.c9
-rw-r--r--src/lib/gssapi/krb5/inq_cred.c9
-rw-r--r--src/lib/gssapi/krb5/val_cred.c66
7 files changed, 99 insertions, 12 deletions
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index ec1708012a..a641c39289 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,5 +1,15 @@
Sat Nov 15 20:14:05 1997 Theodore Y. Ts'o <tytso@mit.edu>
+ * accept_sec_context.c (krb5_gss_accept_sec_context),
+ init_sec_context.c (krb5_gss_init_sec_context),
+ inq_cred.c (krb5_gss_inquire_cred): Call krb5_gss_validate_cred
+ to make sure the credential handle is still valid.
+
+ * val_cred.c (krb5_gss_validate_cred): New file which validates
+ the credential to make sure it is valid, including
+ checking to make sure the credentials cache still points
+ at the same krb5 principal as it did before.
+
* accept_sec_context.c (krb5_gss_accept_sec_context): Return
GSS_S_FAILURE if a non-NULL context handle is passed to
it.
diff --git a/src/lib/gssapi/krb5/Makefile.in b/src/lib/gssapi/krb5/Makefile.in
index 089b9401e6..bdeb4bd3ac 100644
--- a/src/lib/gssapi/krb5/Makefile.in
+++ b/src/lib/gssapi/krb5/Makefile.in
@@ -49,6 +49,7 @@ SRCS = \
$(srcdir)/util_crypt.c \
$(srcdir)/util_seed.c \
$(srcdir)/util_seqnum.c \
+ $(srcdir)/val_cred.c \
$(srcdir)/verify.c \
$(srcdir)/wrap_size_limit.c \
gssapi_err_krb5.c
@@ -92,6 +93,7 @@ OBJS = \
util_crypt.$(OBJEXT) \
util_seed.$(OBJEXT) \
util_seqnum.$(OBJEXT) \
+ val_cred.$(OBJECT) \
verify.$(OBJEXT) \
wrap_size_limit.$(OBJEXT) \
gssapi_err_krb5.$(OBJEXT)
@@ -135,6 +137,7 @@ STLIBOBJS = \
util_crypt.o \
util_seed.o \
util_seqnum.o \
+ val_cred.o \
verify.o \
wrap_size_limit.o \
gssapi_err_krb5.o
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 2c7821a30f..bf984d87a5 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -213,10 +213,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
*minor_status = 0;
return(GSS_S_NO_CRED);
} else {
- if (! kg_validate_cred_id(verifier_cred_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL);
- }
+ OM_uint32 major;
+
+ major = krb5_gss_validate_cred(minor_status, verifier_cred_handle);
+ if (GSS_ERROR(major))
+ return(major);
}
cred = (krb5_gss_cred_id_t) verifier_cred_handle;
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index b09722db1e..69b0031181 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -517,5 +517,10 @@ PROTOTYPE( (OM_uint32 *, /* minor_status */
const gss_name_t, /* input_name */
gss_name_t * /* dest_name */
));
+
+OM_uint32 krb5_gss_validate_cred
+PROTOTYPE( (OM_uint32 *, /* minor_status */
+ gss_cred_id_t /* cred */
+ ));
#endif /* _GSSAPIP_KRB5_H_ */
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index b3992bd7d2..2edf1b0720 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -261,10 +261,11 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
return(major);
}
} else {
- if (! kg_validate_cred_id(claimant_cred_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL);
- }
+ OM_uint32 major;
+
+ major = krb5_gss_validate_cred(minor_status, claimant_cred_handle);
+ if (GSS_ERROR(major))
+ return(major);
}
cred = (krb5_gss_cred_id_t) claimant_cred_handle;
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index f9811c347c..b2edc25712 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -56,10 +56,11 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
return(major);
}
} else {
- if (! kg_validate_cred_id(cred_handle)) {
- *minor_status = (OM_uint32) G_VALIDATE_FAILED;
- return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_NO_CRED);
- }
+ OM_uint32 major;
+
+ major = krb5_gss_validate_cred(minor_status, cred_handle);
+ if (GSS_ERROR(major))
+ return(major);
}
cred = (krb5_gss_cred_id_t) cred_handle;
diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
new file mode 100644
index 0000000000..f7c4c94c97
--- /dev/null
+++ b/src/lib/gssapi/krb5/val_cred.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright 1997 by Massachusetts Institute of Technology
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
+
+#include "gssapiP_krb5.h"
+
+/*
+ * Check to see whether or not a GSSAPI krb5 credential is valid. If
+ * it is not, return an error.
+ */
+
+OM_uint32
+krb5_gss_validate_cred(minor_status, cred_handle)
+ OM_uint32 *minor_status;
+ gss_cred_id_t cred_handle;
+{
+ krb5_context context;
+ krb5_gss_cred_id_t cred;
+ krb5_error_code code;
+ krb5_principal princ;
+
+ if (GSS_ERROR(kg_get_context(minor_status, &context)))
+ return(GSS_S_FAILURE);
+
+ if (!kg_validate_cred_id(cred_handle)) {
+ *minor_status = (OM_uint32) G_VALIDATE_FAILED;
+ return(GSS_S_CALL_BAD_STRUCTURE|GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+
+ cred = (krb5_gss_cred_id_t) cred_handle;
+
+ if (cred->ccache) {
+ if ((code = krb5_cc_get_principal(context, cred->ccache, &princ))) {
+ *minor_status = code;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+ if (!krb5_principal_compare(context, princ, cred->princ)) {
+ *minor_status = KG_CCACHE_NOMATCH;
+ return(GSS_S_DEFECTIVE_CREDENTIAL);
+ }
+ }
+ *minor_status = 0;
+ return GSS_S_COMPLETE;
+}
+
+
+
+
generated by cgit (git 2.34.1) at 2026-03-06 19:57:39 +0000