diff options
| author | Sam Hartman <hartmans@mit.edu> | 2003-03-04 20:45:32 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2003-03-04 20:45:32 +0000 |
| commit | f956ffa323ab8a88295f0b6b0ee772b62165534b (patch) | |
| tree | 57cc931dca664c59708dd9fd8c230bb4c8f8c417 /src/lib/gssapi | |
| parent | 59c236f3e91fc0eab00f7b2dfb10ad5da715c228 (diff) | |
GSS_C_NO_CREDENTIAL should accept any principal
If a context is accepted with GSS_C_NO_CREDENTIAL or if a credential
is acquired with GSS_C_NO_NAME as the acceptor name then allow any
principal in the keytab to be used as the acceptor name.
This means that gss_inquire_cred can return GSS_C_NO_NAME from a
credential.
ticket: new
Tags: enhancement
cc: nicolas.williams@sun.com
cc: krbdev@mit.edu
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15218 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/gssapi')
| -rw-r--r-- | src/lib/gssapi/krb5/ChangeLog | 22 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 10 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/acquire_cred.c | 49 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/add_cred.c | 18 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/inq_cred.c | 3 |
5 files changed, 62 insertions, 40 deletions
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index b85af053e..e6f06e2a1 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,25 @@ +2003-03-02 Sam Hartman <hartmans@mit.edu> + + * accept_sec_context.c (krb5_gss_accept_sec_context): Deal with + creds without rcache available. They will be slower. + + * add_cred.c (krb5_gss_add_cred): Deal with princ being null + + * accept_sec_context.c (krb5_gss_accept_sec_context): Populate + ctx->here from ticket->server instead of cred->princ. If + cred->princ exists it will be the same, but the previous change + may make it null + + * inq_cred.c (krb5_gss_inquire_cred): Allow for null princ + component of credentials + + * acquire_cred.c: When acquiring acceptor credentials, allow + GSS_C_NO_NAME to mean that we accept any credential. In this case + we do not look to see if the principal is found in the keytab and + we leave princ null in the context. This means you get + GSS_C_NO_NAME out from inquire_cred. If cred->princ is null + don't set up a rcache + 2003-03-01 Tom Yu <tlyu@mit.edu> * accept_sec_context.c (krb5_gss_accept_sec_context): Don't diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index be212b526..899ca5a2f 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -360,9 +360,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle, } krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); - if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { - major_status = GSS_S_FAILURE; - goto fail; + if (cred->rcache) { + if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) { + major_status = GSS_S_FAILURE; + goto fail; + } } if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) { major_status = GSS_S_FAILURE; @@ -580,7 +582,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } - if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) { + if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) { major_status = GSS_S_FAILURE; goto fail; } diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index daa900a31..23a17b863 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -108,42 +108,31 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred) return(GSS_S_CRED_UNAVAIL); } - /* figure out what principal to use. If the default name is - requested, use the default sn2princ output */ - - if (desired_name == (gss_name_t) NULL) { - if ((code = krb5_sname_to_principal(context, NULL, NULL, KRB5_NT_SRV_HST, - &princ))) { - (void) krb5_kt_close(context, kt); - *minor_status = code; - return(GSS_S_FAILURE); - } - *output_princ = princ; - } else { - princ = (krb5_principal) desired_name; - } - - if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) { +if (desired_name != GSS_C_NO_NAME) { + princ = (krb5_principal) desired_name; + if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) { (void) krb5_kt_close(context, kt); if (code == KRB5_KT_NOTFOUND) - *minor_status = KG_KEYTAB_NOMATCH; + *minor_status = KG_KEYTAB_NOMATCH; else - *minor_status = code; + *minor_status = code; return(GSS_S_CRED_UNAVAIL); - } - krb5_kt_free_entry(context, &entry); + } + krb5_kt_free_entry(context, &entry); - /* hooray. we made it */ + /* Open the replay cache for this principal. */ + if ((code = krb5_get_server_rcache(context, + krb5_princ_component(context, princ, 0), + &cred->rcache))) { + *minor_status = code; + return(GSS_S_FAILURE); + } - cred->keytab = kt; +} - /* Open the replay cache for this principal. */ - if ((code = krb5_get_server_rcache(context, - krb5_princ_component(context, princ, 0), - &cred->rcache))) { - *minor_status = code; - return(GSS_S_FAILURE); - } +/* hooray. we made it */ + + cred->keytab = kt; return(GSS_S_COMPLETE); } @@ -413,7 +402,7 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req, /* if the princ wasn't filled in already, fill it in now */ - if (!cred->princ) + if (!cred->princ && (desired_name != GSS_C_NO_CREDENTIAL)) if ((code = krb5_copy_principal(context, (krb5_principal) desired_name, &(cred->princ)))) { if (cred->ccache) diff --git a/src/lib/gssapi/krb5/add_cred.c b/src/lib/gssapi/krb5/add_cred.c index 4bbee5ef3..254abfe06 100644 --- a/src/lib/gssapi/krb5/add_cred.c +++ b/src/lib/gssapi/krb5/add_cred.c @@ -181,7 +181,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, new_cred->rfc_mech = cred->rfc_mech; new_cred->tgt_expire = cred->tgt_expire; - code = krb5_copy_principal(context, cred->princ, &new_cred->princ); + if (cred->princ) + code = krb5_copy_principal(context, cred->princ, &new_cred->princ); if (code) { xfree(new_cred); @@ -192,7 +193,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, if (cred->keytab) { kttype = krb5_kt_get_type(context, cred->keytab); if ((strlen(kttype)+2) > sizeof(ktboth)) { - krb5_free_principal(context, new_cred->princ); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); xfree(new_cred); *minor_status = ENOMEM; @@ -207,7 +209,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, ktboth+strlen(ktboth), sizeof(ktboth)-strlen(ktboth)); if (code) { - krb5_free_principal(context, new_cred->princ); + if(new_cred->princ) + krb5_free_principal(context, new_cred->princ); xfree(new_cred); *minor_status = code; @@ -216,6 +219,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle, code = krb5_kt_resolve(context, ktboth, &new_cred->keytab); if (code) { + if (new_cred->princ) krb5_free_principal(context, new_cred->princ); xfree(new_cred); @@ -233,7 +237,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, &new_cred->rcache))) { if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); - krb5_free_principal(context, new_cred->princ); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); xfree(new_cred); *minor_status = code; @@ -252,6 +257,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle, krb5_rc_close(context, new_cred->rcache); if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); + if (new_cred->princ) krb5_free_principal(context, new_cred->princ); xfree(new_cred); @@ -270,7 +276,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle, krb5_rc_close(context, new_cred->rcache); if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); - krb5_free_principal(context, new_cred->princ); + if (new_cred->princ) + krb5_free_principal(context, new_cred->princ); xfree(new_cred); *minor_status = code; @@ -289,6 +296,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle, krb5_rc_close(context, new_cred->rcache); if (new_cred->keytab) krb5_kt_close(context, new_cred->keytab); + if (new_cred->princ) krb5_free_principal(context, new_cred->princ); xfree(new_cred); diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c index 88001ff4e..a79034d9e 100644 --- a/src/lib/gssapi/krb5/inq_cred.c +++ b/src/lib/gssapi/krb5/inq_cred.c @@ -129,7 +129,8 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, lifetime = GSS_C_INDEFINITE; if (name) { - if ((code = krb5_copy_principal(context, cred->princ, &ret_name))) { + if (cred->princ && + (code = krb5_copy_principal(context, cred->princ, &ret_name))) { *minor_status = code; return(GSS_S_FAILURE); } |