GSS_C_NO_CREDENTIAL should accept any principal

If a context is accepted with GSS_C_NO_CREDENTIAL or if a credential is acquired with GSS_C_NO_NAME as the acceptor name then allow any principal in the keytab to be used as the acceptor name. This means that gss_inquire_cred can return GSS_C_NO_NAME from a credential. ticket: new Tags: enhancement cc: nicolas.williams@sun.com cc: krbdev@mit.edu git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15218 dc483132-0cff-0310-8789-dd5450dbe970
author: Sam Hartman <hartmans@mit.edu> 2003-03-04 20:45:32 +0000
committer: Sam Hartman <hartmans@mit.edu> 2003-03-04 20:45:32 +0000
commit: f956ffa323ab8a88295f0b6b0ee772b62165534b (patch)
tree: 57cc931dca664c59708dd9fd8c230bb4c8f8c417 /src/lib
parent: 59c236f3e91fc0eab00f7b2dfb10ad5da715c228 (diff)
8 files changed, 75 insertions, 42 deletions
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index b85af053e..e6f06e2a1 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,25 @@
+2003-03-02  Sam Hartman  <hartmans@mit.edu>
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context): Deal with
+	creds without rcache available.  They will be slower.
+
+	* add_cred.c (krb5_gss_add_cred): Deal with princ being null
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context): Populate
+	ctx->here from ticket->server instead of cred->princ.  If
+	cred->princ exists it will be the same, but the previous change
+	may make it null
+
+	* inq_cred.c (krb5_gss_inquire_cred): Allow for null princ
+	component of credentials
+
+	* acquire_cred.c: When acquiring acceptor credentials, allow
+	GSS_C_NO_NAME to mean that we accept any credential.  In this case
+	we do not look to see if the principal is found in the keytab and
+	we leave princ null in the context.  This means you get
+	GSS_C_NO_NAME out from inquire_cred.   If cred->princ is null
+	don't set up a rcache
+
 2003-03-01  Tom Yu  <tlyu@mit.edu>
 
 	* accept_sec_context.c (krb5_gss_accept_sec_context): Don't
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index be212b526..899ca5a2f 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -360,9 +360,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    }
    krb5_auth_con_setflags(context, auth_context,
 			  KRB5_AUTH_CONTEXT_DO_SEQUENCE);
-   if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
-       major_status = GSS_S_FAILURE;
-       goto fail;
+   if (cred->rcache) {
+       if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
+	   major_status = GSS_S_FAILURE;
+	   goto fail;
+       }
    }
    if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) {
        major_status = GSS_S_FAILURE;
@@ -580,7 +582,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        goto fail;
    }
 
-   if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) {
+   if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) {
        major_status = GSS_S_FAILURE;
        goto fail;
    }
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index daa900a31..23a17b863 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -108,42 +108,31 @@ acquire_accept_cred(context, minor_status, desired_name, output_princ, cred)
       return(GSS_S_CRED_UNAVAIL);
    }
 
-   /* figure out what principal to use.  If the default name is
-      requested, use the default sn2princ output */
-
-   if (desired_name == (gss_name_t) NULL) {
-      if ((code = krb5_sname_to_principal(context, NULL, NULL, KRB5_NT_SRV_HST,
-					  &princ))) {
-	 (void) krb5_kt_close(context, kt);
-	 *minor_status = code;
-	 return(GSS_S_FAILURE);
-      }
-      *output_princ = princ;
-   } else {
-      princ = (krb5_principal) desired_name;
-   }
-
-   if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
+if (desired_name != GSS_C_NO_NAME) {
+    princ = (krb5_principal) desired_name;
+    if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
 	(void) krb5_kt_close(context, kt);
 	if (code == KRB5_KT_NOTFOUND)
-	     *minor_status = KG_KEYTAB_NOMATCH;
+	    *minor_status = KG_KEYTAB_NOMATCH;
 	else
-	     *minor_status = code;
+	    *minor_status = code;
 	return(GSS_S_CRED_UNAVAIL);
-   }
-   krb5_kt_free_entry(context, &entry);
+    }
+    krb5_kt_free_entry(context, &entry);
 
-   /* hooray.  we made it */
+    /* Open the replay cache for this principal. */
+    if ((code = krb5_get_server_rcache(context,
+				       krb5_princ_component(context, princ, 0),
+				       &cred->rcache))) {
+	*minor_status = code;
+	return(GSS_S_FAILURE);
+    }
 
-   cred->keytab = kt;
+}
 
-   /* Open the replay cache for this principal. */
-   if ((code = krb5_get_server_rcache(context,
-				      krb5_princ_component(context, princ, 0),
-				      &cred->rcache))) {
-       *minor_status = code;
-       return(GSS_S_FAILURE);
-   }
+/* hooray.  we made it */
+
+   cred->keytab = kt;
 
    return(GSS_S_COMPLETE);
 }
@@ -413,7 +402,7 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
 
    /* if the princ wasn't filled in already, fill it in now */
 
-   if (!cred->princ)
+   if (!cred->princ && (desired_name != GSS_C_NO_CREDENTIAL))
       if ((code = krb5_copy_principal(context, (krb5_principal) desired_name,
 				      &(cred->princ)))) {
 	 if (cred->ccache)
diff --git a/src/lib/gssapi/krb5/add_cred.c b/src/lib/gssapi/krb5/add_cred.c
index 4bbee5ef3..254abfe06 100644
--- a/src/lib/gssapi/krb5/add_cred.c
+++ b/src/lib/gssapi/krb5/add_cred.c
@@ -181,7 +181,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 	new_cred->rfc_mech = cred->rfc_mech;
 	new_cred->tgt_expire = cred->tgt_expire;
 
-	code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
+	if (cred->princ)
+	    code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
 	if (code) {
 	    xfree(new_cred);
 
@@ -192,7 +193,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 	if (cred->keytab) {
 	    kttype = krb5_kt_get_type(context, cred->keytab);
 	    if ((strlen(kttype)+2) > sizeof(ktboth)) {
-		krb5_free_principal(context, new_cred->princ);
+		if (new_cred->princ)
+		    krb5_free_principal(context, new_cred->princ);
 		xfree(new_cred);
 
 		*minor_status = ENOMEM;
@@ -207,7 +209,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 				    ktboth+strlen(ktboth),
 				    sizeof(ktboth)-strlen(ktboth));
 	    if (code) {
-		krb5_free_principal(context, new_cred->princ);
+		if(new_cred->princ)
+		    krb5_free_principal(context, new_cred->princ);
 		xfree(new_cred);
 
 		*minor_status = code;
@@ -216,6 +219,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 
 	    code = krb5_kt_resolve(context, ktboth, &new_cred->keytab);
 	    if (code) {
+		if (new_cred->princ)
 		krb5_free_principal(context, new_cred->princ);
 		xfree(new_cred);
 
@@ -233,7 +237,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 					       &new_cred->rcache))) {
 		if (new_cred->keytab)
 		    krb5_kt_close(context, new_cred->keytab);
-		krb5_free_principal(context, new_cred->princ);
+		if (new_cred->princ)
+		    krb5_free_principal(context, new_cred->princ);
 		xfree(new_cred);
 
 		*minor_status = code;
@@ -252,6 +257,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 		    krb5_rc_close(context, new_cred->rcache);
 		if (new_cred->keytab)
 		    krb5_kt_close(context, new_cred->keytab);
+		if (new_cred->princ)
 		krb5_free_principal(context, new_cred->princ);
 		xfree(new_cred);
 
@@ -270,7 +276,8 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 		    krb5_rc_close(context, new_cred->rcache);
 		if (new_cred->keytab)
 		    krb5_kt_close(context, new_cred->keytab);
-		krb5_free_principal(context, new_cred->princ);
+		if (new_cred->princ)
+		    krb5_free_principal(context, new_cred->princ);
 		xfree(new_cred);
 
 		*minor_status = code;
@@ -289,6 +296,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 		krb5_rc_close(context, new_cred->rcache);
 	    if (new_cred->keytab)
 		krb5_kt_close(context, new_cred->keytab);
+	    if (new_cred->princ)
 	    krb5_free_principal(context, new_cred->princ);
 	    xfree(new_cred);
 
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index 88001ff4e..a79034d9e 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -129,7 +129,8 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
        lifetime = GSS_C_INDEFINITE;
 
    if (name) {
-      if ((code = krb5_copy_principal(context, cred->princ, &ret_name))) {
+      if (cred->princ &&
+	  (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
 	 *minor_status = code;
 	 return(GSS_S_FAILURE);
       }
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 036e8ed51..55cf03d5c 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,9 @@
+2003-03-02  Sam Hartman  <hartmans@mit.edu>
+
+	* srv_rcache.c (krb5_get_server_rcache): If punctuation or graphic characters in replay ccache name then use  escaping
+
+	* rd_req.c (krb5_rd_req): Allow initializing the replay cache from  the ticket
+
 2003-02-25  Tom Yu  <tlyu@mit.edu>
 
 	* gic_pwd.c (krb5_get_init_creds_password): Don't pass a NULL
diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c
index bc4586e28..f844e3cd6 100644
--- a/src/lib/krb5/krb/rd_req.c
+++ b/src/lib/krb5/krb/rd_req.c
@@ -79,6 +79,9 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_da
         *auth_context = new_auth_context;
     }
 
+    if (!server) {
+	server = request->ticket->server;
+    }
     /* Get an rcache if necessary. */
     if (((*auth_context)->rcache == NULL) && server) {
 	if ((retval = krb5_get_server_rcache(context,
diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c
index e6abcfb90..290f869e5 100644
--- a/src/lib/krb5/krb/srv_rcache.c
+++ b/src/lib/krb5/krb/srv_rcache.c
@@ -31,6 +31,8 @@
 #include <ctype.h>
 #include <stdio.h>
 
+/* Macro for valid RC name characters*/
+#define isinvalidrcname(x) (isgraph(x)||ispunct(x))
 krb5_error_code KRB5_CALLCONV
 krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache *rcptr)
 {
@@ -58,7 +60,7 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache
     for (i = 0; i < piece->length; i++) {
 	if (piece->data[i] == '\\')
 	    len++;
-	else if (!isgraph((int) piece->data[i]))
+	else if (!isinvalidrcname((int) piece->data[i]))
 	    len += 3;
     }
 
@@ -81,7 +83,7 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache
 	    cachename[p++] = '\\';
 	    continue;
 	}
-	if (!isgraph((int) piece->data[i])) {
+	if (!isinvalidrcname((int) piece->data[i])) {
 	    sprintf(tmp, "%03o", piece->data[i]);
 	    cachename[p++] = '\\';
 	    cachename[p++] = tmp[0];
author	Sam Hartman <hartmans@mit.edu>	2003-03-04 20:45:32 +0000
committer	Sam Hartman <hartmans@mit.edu>	2003-03-04 20:45:32 +0000
commit	f956ffa323ab8a88295f0b6b0ee772b62165534b (patch)
tree	57cc931dca664c59708dd9fd8c230bb4c8f8c417 /src/lib
parent	59c236f3e91fc0eab00f7b2dfb10ad5da715c228 (diff)