diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-05-17 20:01:29 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-05-17 20:01:29 +0000 |
| commit | a4b8735a567e71e0c984e2ef4bfc9c491405d671 (patch) | |
| tree | be226602c1615c217fc65f7c708c3079442f8c1e /src | |
| parent | e5c4b52e652d3465693619e22c3597acbff5d79f (diff) | |
| download | krb5-a4b8735a567e71e0c984e2ef4bfc9c491405d671.tar.gz krb5-a4b8735a567e71e0c984e2ef4bfc9c491405d671.tar.xz krb5-a4b8735a567e71e0c984e2ef4bfc9c491405d671.zip | |
The mechglue always passes null for desired_mechs and actual_mechs
when invoking gss_acquire_cred and friends. Eliminate a lot of unused
and untestable logic in the krb5 mech which processed those arguments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24051 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 4 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/acquire_cred.c | 84 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/gssapiP_krb5.h | 23 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/iakerb.c | 24 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/init_sec_context.c | 33 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/inq_cred.c | 18 | ||||
| -rw-r--r-- | src/lib/gssapi/krb5/s4u_gss_glue.c | 88 |
7 files changed, 30 insertions, 244 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 368ef21be..2d7064690 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -149,10 +149,8 @@ create_constrained_deleg_creds(OM_uint32 *minor_status, verifier_cred_handle, &krb_creds, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, out_cred, NULL, - NULL, context); krb5_free_data(context, data); @@ -252,8 +250,6 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) cred->usage = GSS_C_INITIATE; /* we can't accept with this */ /* cred->name already set */ - cred->prerfc_mech = 1; /* this cred will work with all three mechs */ - cred->rfc_mech = 1; cred->keytab = NULL; /* no keytab associated with this... */ cred->tgt_expire = creds[0]->times.endtime; /* store the end time */ cred->ccache = ccache; /* the ccache containing the credential */ diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index 88b739e97..28e25052a 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -483,24 +483,18 @@ acquire_init_cred(krb5_context context, /*ARGSUSED*/ static OM_uint32 acquire_cred(minor_status, desired_name, password, time_req, - desired_mechs, cred_usage, output_cred_handle, - actual_mechs, time_rec, req_iakerb) + cred_usage, output_cred_handle, time_rec, req_iakerb) OM_uint32 *minor_status; const gss_name_t desired_name; const gss_buffer_t password; OM_uint32 time_req; - const gss_OID_set desired_mechs; gss_cred_usage_t cred_usage; gss_cred_id_t *output_cred_handle; - gss_OID_set *actual_mechs; OM_uint32 *time_rec; int req_iakerb; { krb5_context context = NULL; - size_t i; krb5_gss_cred_id_t cred = NULL; - gss_OID_set ret_mechs = GSS_C_NO_OID_SET; - int req_old, req_new; OM_uint32 ret; krb5_error_code code = 0; @@ -515,8 +509,6 @@ acquire_cred(minor_status, desired_name, password, time_req, /* make sure all outputs are valid */ *output_cred_handle = NULL; - if (actual_mechs) - *actual_mechs = NULL; if (time_rec) *time_rec = 0; @@ -529,29 +521,6 @@ acquire_cred(minor_status, desired_name, password, time_req, goto krb_error_out; } - /* verify that the requested mechanism set is the default, or - contains krb5 */ - - if (desired_mechs == GSS_C_NULL_OID_SET) { - req_old = 1; - req_new = 1; - } else { - req_old = 0; - req_new = 0; - - for (i=0; i<desired_mechs->count; i++) { - if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i]))) - req_old++; - if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i]))) - req_new++; - } - - if (!req_old && !req_new) { - ret = GSS_S_BAD_MECH; - goto error_out; - } - } - /* create the gss cred structure */ cred = k5alloc(sizeof(krb5_gss_cred_id_rec), &code); if (code != 0) @@ -559,8 +528,6 @@ acquire_cred(minor_status, desired_name, password, time_req, cred->usage = cred_usage; cred->name = NULL; - cred->prerfc_mech = (req_old != 0) && (req_iakerb == 0); - cred->rfc_mech = (req_new != 0) && (req_iakerb == 0); cred->iakerb_mech = req_iakerb; cred->default_identity = (desired_name == GSS_C_NO_NAME); @@ -639,27 +606,6 @@ acquire_cred(minor_status, desired_name, password, time_req, *time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0; } - /* create mechs */ - - if (actual_mechs) { - if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status, - &ret_mechs)) || - (cred->prerfc_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5_old, - &ret_mechs))) || - (cred->rfc_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5, - &ret_mechs))) || - (cred->iakerb_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_iakerb, - &ret_mechs)))) { - goto error_out; - } - } - /* intern the credential handle */ if (! kg_save_cred_id((gss_cred_id_t) cred)) { @@ -671,8 +617,6 @@ acquire_cred(minor_status, desired_name, password, time_req, *minor_status = 0; *output_cred_handle = (gss_cred_id_t) cred; - if (actual_mechs) - *actual_mechs = ret_mechs; krb5_free_context(context); return(GSS_S_COMPLETE); @@ -682,10 +626,6 @@ krb_error_out: ret = GSS_S_FAILURE; error_out: - if (ret_mechs != GSS_C_NO_OID_SET) { - free(ret_mechs->elements); - free(ret_mechs); - } if (cred != NULL) { if (cred->ccache) (void)krb5_cc_close(context, cred->ccache); @@ -748,6 +688,11 @@ gss_krb5int_set_cred_rcache(OM_uint32 *minor_status, return GSS_S_COMPLETE; } +/* + * krb5 and IAKERB mech API functions follow. The mechglue always passes null + * desired_mechs and actual_mechs, so we ignore those parameters. + */ + OM_uint32 krb5_gss_acquire_cred(minor_status, desired_name, time_req, desired_mechs, cred_usage, output_cred_handle, @@ -762,9 +707,7 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req, OM_uint32 *time_rec; { return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER, - time_req, desired_mechs, - cred_usage, output_cred_handle, actual_mechs, - time_rec, 0); + time_req, cred_usage, output_cred_handle, time_rec, 0); } OM_uint32 @@ -781,9 +724,7 @@ iakerb_gss_acquire_cred(minor_status, desired_name, time_req, OM_uint32 *time_rec; { return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER, - time_req, desired_mechs, - cred_usage, output_cred_handle, actual_mechs, - time_rec, 1); + time_req, cred_usage, output_cred_handle, time_rec, 1); } OM_uint32 @@ -798,9 +739,7 @@ krb5_gss_acquire_cred_with_password(OM_uint32 *minor_status, OM_uint32 *time_rec) { return acquire_cred(minor_status, desired_name, password, - time_req, desired_mechs, - cred_usage, output_cred_handle, actual_mechs, - time_rec, 0); + time_req, cred_usage, output_cred_handle, time_rec, 0); } OM_uint32 @@ -815,8 +754,5 @@ iakerb_gss_acquire_cred_with_password(OM_uint32 *minor_status, OM_uint32 *time_rec) { return acquire_cred(minor_status, desired_name, password, - time_req, desired_mechs, - cred_usage, output_cred_handle, actual_mechs, - time_rec, 1); + time_req, cred_usage, output_cred_handle, time_rec, 1); } - diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index d3a290c1e..573d3150c 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -170,8 +170,6 @@ typedef struct _krb5_gss_cred_id_rec { /* name/type of credential */ gss_cred_usage_t usage; krb5_gss_name_t name; - unsigned int prerfc_mech : 1; - unsigned int rfc_mech : 1; unsigned int proxy_cred : 1; unsigned int default_identity : 1; unsigned int iakerb_mech : 1; @@ -492,25 +490,6 @@ krb5_to_gss_cred(krb5_context context, krb5_creds *creds, krb5_gss_cred_id_t *out_cred); -OM_uint32 -kg_new_connection( - OM_uint32 *minor_status, - krb5_gss_cred_id_t cred, - gss_ctx_id_t *context_handle, - gss_name_t target_name, - gss_OID mech_type, - OM_uint32 req_flags, - OM_uint32 time_req, - gss_channel_bindings_t input_chan_bindings, - gss_buffer_t input_token, - gss_OID *actual_mech_type, - gss_buffer_t output_token, - OM_uint32 *ret_flags, - OM_uint32 *time_rec, - krb5_context context, - int default_mech, - krb5_gss_ctx_ext_t exts); - /** declarations of internal name mechanism functions **/ OM_uint32 krb5_gss_acquire_cred @@ -1006,9 +985,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, krb5_gss_cred_id_t impersonator_cred, krb5_creds *subject_creds, OM_uint32 time_req, - const gss_OID_set desired_mechs, krb5_gss_cred_id_t *output_cred, - gss_OID_set *actual_mechs, OM_uint32 *time_rec, krb5_context context); diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index 6ee0c73dc..0a86fa56a 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -902,7 +902,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL; krb5_gss_cred_id_t kcred; krb5_gss_name_t kname; - int credLocked = 0; + krb5_boolean cred_locked = FALSE; int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT); if (initialContextToken) { @@ -929,14 +929,14 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, if (GSS_ERROR(major_status)) goto cleanup; - credLocked = 1; + cred_locked = TRUE; kcred = (krb5_gss_cred_id_t)claimant_cred_handle; } else { - major_status = iakerb_gss_acquire_cred(minor_status, NULL, - GSS_C_INDEFINITE, - GSS_C_NULL_OID_SET, - GSS_C_INITIATE, - &defcred, NULL, NULL); + major_status = krb5_gss_acquire_cred(minor_status, NULL, + GSS_C_INDEFINITE, + GSS_C_NULL_OID_SET, + GSS_C_INITIATE, + &defcred, NULL, NULL); if (GSS_ERROR(major_status)) goto cleanup; kcred = (krb5_gss_cred_id_t)defcred; @@ -973,13 +973,9 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, if (ctx->state == IAKERB_AP_REQ) { krb5_gss_ctx_ext_rec exts; - /* Ensure cred is marked as usable for Kerberos mechanism */ - if (kcred != NULL) { - if (kcred->iakerb_mech) - kcred->rfc_mech = 1; - + if (cred_locked) { k5_mutex_unlock(&kcred->lock); - credLocked = 0; + cred_locked = FALSE; } iakerb_make_exts(ctx, &exts); @@ -1018,7 +1014,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status, } cleanup: - if (credLocked) + if (cred_locked) k5_mutex_unlock(&kcred->lock); if (initialContextToken && GSS_ERROR(major_status)) { iakerb_release_context(ctx); diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index a7bff2f5d..25cee16f0 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -505,7 +505,7 @@ cleanup: * * Do the grunt work of setting up a new context. */ -OM_uint32 +static OM_uint32 kg_new_connection( OM_uint32 *minor_status, krb5_gss_cred_id_t cred, @@ -521,7 +521,6 @@ kg_new_connection( OM_uint32 *ret_flags, OM_uint32 *time_rec, krb5_context context, - int default_mech, krb5_gss_ctx_ext_t exts) { OM_uint32 major_status; @@ -621,10 +620,6 @@ kg_new_connection( && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG; - if (default_mech) { - mech_type = (gss_OID) gss_mech_krb5; - } - if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used) != GSS_S_COMPLETE) { code = *minor_status; @@ -944,9 +939,7 @@ krb5_gss_init_sec_context_ext( { krb5_context context; krb5_gss_cred_id_t cred; - int err; krb5_error_code kerr; - int default_mech = 0; OM_uint32 major_status; OM_uint32 tmp_min_stat; @@ -1013,33 +1006,13 @@ krb5_gss_init_sec_context_ext( /* verify the mech_type */ - err = 0; - if (mech_type == GSS_C_NULL_OID) { - default_mech = 1; - if (cred->rfc_mech) { - mech_type = (gss_OID) gss_mech_krb5; - } else if (cred->prerfc_mech) { - mech_type = (gss_OID) gss_mech_krb5_old; - } else { - err = 1; - } - } else if (g_OID_equal(mech_type, gss_mech_krb5)) { + if (mech_type == GSS_C_NULL_OID || g_OID_equal(mech_type, gss_mech_krb5)) { mech_type = (gss_OID) gss_mech_krb5; - if (!cred->rfc_mech) - err = 1; } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) { mech_type = (gss_OID) gss_mech_krb5_old; - if (!cred->prerfc_mech) - err = 1; } else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) { mech_type = (gss_OID) gss_mech_krb5_wrong; - if (!cred->rfc_mech) - err = 1; } else { - err = 1; - } - - if (err) { k5_mutex_unlock(&cred->lock); if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); @@ -1058,7 +1031,7 @@ krb5_gss_init_sec_context_ext( time_req, input_chan_bindings, input_token, actual_mech_type, output_token, ret_flags, time_rec, - context, default_mech, exts); + context, exts); k5_mutex_unlock(&cred->lock); if (*context_handle == GSS_C_NO_CONTEXT) { save_error_info (*minor_status, context); diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c index 8083b27cc..b97ed89aa 100644 --- a/src/lib/gssapi/krb5/inq_cred.c +++ b/src/lib/gssapi/krb5/inq_cred.c @@ -159,18 +159,12 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, if (mechanisms) { if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status, &mechs)) || - (cred->prerfc_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5_old, - &mechs))) || - (cred->rfc_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5, - &mechs))) || - (cred->iakerb_mech && - GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, - gss_mech_iakerb, - &mechs)))) { + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + gss_mech_krb5_old, + &mechs)) || + GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status, + gss_mech_krb5, + &mechs))) { k5_mutex_unlock(&cred->lock); if (ret_name) kg_release_name(context, KG_INIT_NAME_INTERN, &ret_name); diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c index c47a15d20..cecbbb0c0 100644 --- a/src/lib/gssapi/krb5/s4u_gss_glue.c +++ b/src/lib/gssapi/krb5/s4u_gss_glue.c @@ -30,75 +30,6 @@ #endif #include <assert.h> -static OM_uint32 -kg_set_desired_mechs(OM_uint32 *minor_status, - const gss_OID_set desired_mechs, - krb5_gss_cred_id_t cred) -{ - unsigned int i; - - if (desired_mechs == GSS_C_NULL_OID_SET) { - cred->prerfc_mech = 1; - cred->rfc_mech = 1; - } else { - cred->prerfc_mech = 0; - cred->rfc_mech = 0; - - for (i = 0; i < desired_mechs->count; i++) { - if (g_OID_equal(gss_mech_krb5_old, &desired_mechs->elements[i])) - cred->prerfc_mech = 1; - else if (g_OID_equal(gss_mech_krb5, &desired_mechs->elements[i])) - cred->rfc_mech = 1; - } - - if (!cred->prerfc_mech && !cred->rfc_mech) { - *minor_status = 0; - return GSS_S_BAD_MECH; - } - } - - return GSS_S_COMPLETE; -} - -static OM_uint32 -kg_return_mechs(OM_uint32 *minor_status, - krb5_gss_cred_id_t cred, - gss_OID_set *actual_mechs) -{ - OM_uint32 major_status, minor; - gss_OID_set mechs; - - if (actual_mechs == NULL) - return GSS_S_COMPLETE; - - major_status = generic_gss_create_empty_oid_set(minor_status, &mechs); - if (GSS_ERROR(major_status)) - return major_status; - - if (cred->prerfc_mech) { - major_status = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5_old, - &mechs); - if (GSS_ERROR(major_status)) { - generic_gss_release_oid_set(&minor, &mechs); - return major_status; - } - } - if (cred->rfc_mech) { - major_status = generic_gss_add_oid_set_member(minor_status, - gss_mech_krb5, - &mechs); - if (GSS_ERROR(major_status)) { - generic_gss_release_oid_set(&minor, &mechs); - return major_status; - } - } - - *actual_mechs = mechs; - - return GSS_S_COMPLETE; -} - static int kg_is_initiator_cred(krb5_gss_cred_id_t cred) { @@ -111,9 +42,7 @@ kg_impersonate_name(OM_uint32 *minor_status, const krb5_gss_cred_id_t impersonator_cred, const krb5_gss_name_t user, OM_uint32 time_req, - const gss_OID_set desired_mechs, krb5_gss_cred_id_t *output_cred, - gss_OID_set *actual_mechs, OM_uint32 *time_rec, krb5_context context) { @@ -165,9 +94,7 @@ kg_impersonate_name(OM_uint32 *minor_status, impersonator_cred, out_creds, time_req, - desired_mechs, output_cred, - actual_mechs, time_rec, context); @@ -177,6 +104,7 @@ kg_impersonate_name(OM_uint32 *minor_status, return major_status; } +/* The mechglue always passes null desired_mechs and actual_mechs. */ OM_uint32 krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, const gss_cred_id_t impersonator_cred_handle, @@ -208,8 +136,6 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, } *output_cred_handle = GSS_C_NO_CREDENTIAL; - if (actual_mechs != NULL) - *actual_mechs = GSS_C_NO_OID_SET; if (time_rec != NULL) *time_rec = 0; @@ -231,9 +157,7 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, (krb5_gss_cred_id_t)impersonator_cred_handle, (krb5_gss_name_t)desired_name, time_req, - desired_mechs, &cred, - actual_mechs, time_rec, context); @@ -251,9 +175,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, krb5_gss_cred_id_t impersonator_cred, krb5_creds *subject_creds, OM_uint32 time_req, - const gss_OID_set desired_mechs, krb5_gss_cred_id_t *output_cred, - gss_OID_set *actual_mechs, OM_uint32 *time_rec, krb5_context context) { @@ -295,10 +217,6 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, cred->usage = GSS_C_INITIATE; cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE); - major_status = kg_set_desired_mechs(minor_status, desired_mechs, cred); - if (GSS_ERROR(major_status)) - goto cleanup; - cred->tgt_expire = impersonator_cred->tgt_expire; code = kg_init_name(context, subject_creds->client, NULL, 0, &cred->name); @@ -337,10 +255,6 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, *time_rec = cred->tgt_expire - now; } - major_status = kg_return_mechs(minor_status, cred, actual_mechs); - if (GSS_ERROR(major_status)) - goto cleanup; - if (!kg_save_cred_id((gss_cred_id_t)cred)) { code = G_VALIDATE_FAILED; goto cleanup; |