diff options
author | Sam Hartman <hartmans@mit.edu> | 2009-12-02 16:16:22 +0000 |
---|---|---|
committer | Sam Hartman <hartmans@mit.edu> | 2009-12-02 16:16:22 +0000 |
commit | db34c2ba2fdb4d96fbdfbcf47b076a294345a5fd (patch) | |
tree | ce4480ae74b6ee23daa07b0a4a4cbf1d299491ba | |
parent | 6770c3eadf86f06e1b9c0f4e6e9f19da581508d5 (diff) | |
download | krb5-db34c2ba2fdb4d96fbdfbcf47b076a294345a5fd.zip krb5-db34c2ba2fdb4d96fbdfbcf47b076a294345a5fd.tar.gz krb5-db34c2ba2fdb4d96fbdfbcf47b076a294345a5fd.tar.bz2 |
Add
krb5_get_init_creds_opt_{set_fast_flags|get_fast_flags|set_out_ccache}
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23413 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/include/k5-int.h | 2 | ||||
-rw-r--r-- | src/include/krb5/krb5.hin | 31 | ||||
-rw-r--r-- | src/lib/krb5/krb/gic_opt.c | 55 | ||||
-rw-r--r-- | src/lib/krb5/libkrb5.exports | 3 |
4 files changed, 85 insertions, 6 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 2a7b4d9..533cb8b 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -1185,6 +1185,8 @@ typedef struct _krb5_gic_opt_private { int num_preauth_data; krb5_gic_opt_pa_data *preauth_data; char * fast_ccache_name; + krb5_ccache out_ccache; + krb5_flags fast_flags; } krb5_gic_opt_private; /* diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 2b1a9b1..f429c8f 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -2273,15 +2273,34 @@ krb5_get_init_creds_opt_set_pa(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, +/**This API sets a ccache name that will contain some TGT on calls to + get_init_creds functions. If set, this ccache will be used for FAST + (draft-ietf-krb-wg-preauth-framework) to protect the AS-REQ from + observation and active attack. If the fast_ccache_name is set, then FAST + may be required by the client library. In this and future versions, FAST + will be used if available; krb5_get_init_creds_opt_set_fast_flags() may be + used to require that the request fail is FAST is unavailable. In MIT + Kerberos 1.7 setting the fast ccache at all required that FAST be present + or the request would fail.*/ krb5_get_init_creds_opt *opt, const char *fast_ccache_name); -/* This API sets a ccache name that will contain some TGT on - calls to get_init_creds functions. If set, this ccache will - be used for FAST (draft-ietf-krb-wg-preauth-framework) to - protect the AS-REQ from observation and active attack. If - the fast_ccache_name is set, then FAST may be required by the - client library. In this version FAST is required.*/ +/**Set a ccache where resulting credentials will be stored. If set, then the + * krb5_get_init_creds family of APIs will write out credentials to the given + * ccache. Setting an output ccache is desirable both because it simplifies + * calling code and because it permits the krb5_get_init_creds APIs to write + * out configuration information about the realm to the ccache. + */ +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_out_ccache +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache); +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_fast_flags +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags); +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_get_fast_flags +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags); + krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_principal client, char *password, diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c index bff4539..f1d9479 100644 --- a/src/lib/krb5/krb/gic_opt.c +++ b/src/lib/krb5/krb/gic_opt.c @@ -149,6 +149,8 @@ krb5int_gic_opte_private_free(krb5_context context, krb5_gic_opt_ext *opte) free_gic_opt_ext_preauth_data(context, opte); if (opte->opt_private->fast_ccache_name) free(opte->opt_private->fast_ccache_name); + if (opte->opt_private->out_ccache) + krb5_cc_close(context, opte->opt_private->out_ccache); free(opte->opt_private); opte->opt_private = NULL; return 0; @@ -486,3 +488,56 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name retval = ENOMEM; return retval; } + +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_out_ccache +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache) +{ + krb5_error_code retval = 0; + krb5_gic_opt_ext *opte; + + retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, + "krb5_get_init_creds_opt_set_out_ccache"); + if (retval) + return retval; + if (opte->opt_private->out_ccache) { + krb5_cc_close(context, opte->opt_private->out_ccache); + opte->opt_private->out_ccache = NULL; + } + retval = krb5_cc_resolve(context, krb5_cc_get_name(context, ccache), + &opte->opt_private->out_ccache); + return retval; +} + +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_fast_flags +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags) +{ + krb5_error_code retval = 0; + krb5_gic_opt_ext *opte; + + retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, + "krb5_get_init_creds_opt_set_fast_flags"); + if (retval) + return retval; + opte->opt_private->fast_flags = flags; + return retval; +} + +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_get_fast_flags +(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags) +{ + krb5_error_code retval = 0; + krb5_gic_opt_ext *opte; + if (out_flags == NULL) + return EINVAL; + *out_flags = 0; + retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, + "krb5_get_init_creds_opt_get_fast_flags"); + if (retval) + return retval; + *out_flags = opte->opt_private->fast_flags; + return retval; +} + diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 91abb64..15a887b 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -333,6 +333,7 @@ krb5_get_init_creds_keytab krb5_get_init_creds_opt_alloc krb5_get_init_creds_opt_free krb5_get_init_creds_opt_free_pa +krb5_get_init_creds_opt_get_fast_flags krb5_get_init_creds_opt_get_pa krb5_get_init_creds_opt_init krb5_get_init_creds_opt_set_address_list @@ -340,7 +341,9 @@ krb5_get_init_creds_opt_set_canonicalize krb5_get_init_creds_opt_set_change_password_prompt krb5_get_init_creds_opt_set_etype_list krb5_get_init_creds_opt_set_fast_ccache_name +krb5_get_init_creds_opt_set_fast_flags krb5_get_init_creds_opt_set_forwardable +krb5_get_init_creds_opt_set_out_ccache krb5_get_init_creds_opt_set_pa krb5_get_init_creds_opt_set_preauth_list krb5_get_init_creds_opt_set_proxiable |