diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-06-27 15:52:21 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-06-27 15:52:21 -0400 |
| commit | d53df944e3b00372a3ffd1068bbd2a7346185ab0 (patch) | |
| tree | 12103d3b0987a25d3bee46c167fe78dafde1ad66 /src | |
| parent | 5bff5c5064a58eb206a6e2e1ba5ccf746569b761 (diff) | |
| download | krb5-d53df944e3b00372a3ffd1068bbd2a7346185ab0.tar.gz krb5-d53df944e3b00372a3ffd1068bbd2a7346185ab0.tar.xz krb5-d53df944e3b00372a3ffd1068bbd2a7346185ab0.zip | |
Scan ccache more efficiently in gss_acquire_cred
Avoid rereading the ccache in order to find the impersonator config
entry. Instead, check each entry as we scan through the first time.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/gssapi/krb5/acquire_cred.c | 53 |
1 files changed, 25 insertions, 28 deletions
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index c7a156e0b..ef3f1df46 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -366,32 +366,28 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred, return 0; } -/* If an impersonator config entry exists in ccache, set *impersonator_out to - * the parsed principal. Otherwise set *impersonator_out to NULL. */ +/* Set fields in cred according to a ccache config entry whose key (in + * principal form) is config_princ and whose value is value. */ static krb5_error_code -get_impersonator(krb5_context context, krb5_ccache ccache, - krb5_principal *impersonator_out) +scan_cc_config(krb5_context context, krb5_gss_cred_id_rec *cred, + krb5_const_principal config_princ, const krb5_data *value) { krb5_error_code code; - krb5_data data = empty_data(), data0 = empty_data(); + krb5_data data0 = empty_data(); - *impersonator_out = NULL; - - code = krb5_cc_get_config(context, ccache, NULL, - KRB5_CONF_PROXY_IMPERSONATOR, &data); - if (code) - return (code == KRB5_CC_NOTFOUND) ? 0 : code; - - code = krb5int_copy_data_contents_add0(context, &data, &data0); - if (code) - goto cleanup; - - code = krb5_parse_name(context, data0.data, impersonator_out); - -cleanup: - krb5_free_data_contents(context, &data); - krb5_free_data_contents(context, &data0); - return code; + if (config_princ->length != 2) + return 0; + if (data_eq_string(config_princ->data[1], KRB5_CONF_PROXY_IMPERSONATOR) && + cred->impersonator == NULL) { + code = krb5int_copy_data_contents_add0(context, value, &data0); + if (code) + return code; + code = krb5_parse_name(context, data0.data, &cred->impersonator); + krb5_free_data_contents(context, &data0); + if (code) + return code; + } + return 0; } /* Check ccache and scan it for its expiry time. On success, cred takes @@ -451,14 +447,19 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred, return code; } while (!(code = krb5_cc_next_cred(context, ccache, &cursor, &creds))) { + if (krb5_is_config_principal(context, creds.server)) { + code = scan_cc_config(context, cred, creds.server, &creds.ticket); + krb5_free_cred_contents(context, &creds); + if (code) + break; + continue; + } is_tgt = krb5_principal_compare(context, tgt_princ, creds.server); endtime = creds.times.endtime; krb5_free_cred_contents(context, &creds); if (is_tgt || !got_endtime) cred->tgt_expire = creds.times.endtime; got_endtime = 1; - if (is_tgt) - break; } krb5_cc_end_seq_get(context, ccache, &cursor); if (code && code != KRB5_CC_END) @@ -470,10 +471,6 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred, goto cleanup; } - code = get_impersonator(context, ccache, &cred->impersonator); - if (code) - goto cleanup; - (void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE); cred->ccache = ccache; |