diff options
| author | Sam Hartman <hartmans@mit.edu> | 2009-12-02 16:16:38 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2009-12-02 16:16:38 +0000 |
| commit | fbbca0548b34a2cec60fe808b397b89f21a9fe81 (patch) | |
| tree | c5668374d5bb30e7975a1a75718bf36903aaa104 | |
| parent | 971eddfd4d1173369707e4331b7909f810c1253d (diff) | |
| download | krb5-fbbca0548b34a2cec60fe808b397b89f21a9fe81.zip krb5-fbbca0548b34a2cec60fe808b397b89f21a9fe81.tar.gz krb5-fbbca0548b34a2cec60fe808b397b89f21a9fe81.tar.bz2 | |
Implement upgrade to FAST when the KDC supports FAST. Implement fall
back to no negotiation when the KDC doesn't appear to support it.
In order to do this control flow for get_init_creds is changed significantly.
A comment in the diff explains the logic.
* Move preauth_request_init into loop
* move preauth gic option handling into loop
* New function krb5int_upgrade_to_fast_p
* New fast state flag: KRB5INT_FAST_ARMOR_AVAIL
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23418 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/lib/krb5/krb/fast.c | 18 | ||||
| -rw-r--r-- | src/lib/krb5/krb/fast.h | 6 |
2 files changed, 22 insertions, 2 deletions
diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index 6998263..0ba3085 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -144,6 +144,7 @@ krb5int_fast_as_armor(krb5_context context, krb5_clear_error_message(context); target_realm = krb5_princ_realm(context, request->server); if (opte->opt_private->fast_ccache_name) { + state->fast_state_flags |= KRB5INT_FAST_ARMOR_AVAIL; retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, &ccache); if (retval == 0) @@ -155,11 +156,13 @@ krb5int_fast_as_armor(krb5_context context, target_principal, KRB5_CCCONF_FAST_AVAIL, &config_data); if ((retval == 0) && config_data.data ) - opte->opt_private->fast_flags |= KRB5_FAST_REQUIRED; + state->fast_state_flags |= KRB5INT_FAST_DO_FAST; krb5_free_data_contents(context, &config_data); retval = 0; } - if (retval==0 && (opte->opt_private->fast_flags &KRB5_FAST_REQUIRED)) + if (opte->opt_private->fast_flags& KRB5_FAST_REQUIRED) + state->fast_state_flags |= KRB5INT_FAST_DO_FAST; + if (retval==0 && (state->fast_state_flags & KRB5INT_FAST_DO_FAST)) retval = fast_armor_ap_request(context, state, ccache, target_principal); if (retval != 0) { @@ -587,3 +590,14 @@ krb5_error_code krb5int_fast_verify_nego krb5_free_checksum(context, checksum); return retval; } +krb5_boolean krb5int_upgrade_to_fast_p +(krb5_context context, struct krb5int_fast_request_state *state, krb5_pa_data **padata) +{ + if (! (state->fast_state_flags & KRB5INT_FAST_ARMOR_AVAIL)) + return 0; + if (krb5int_find_pa_data(context, padata, KRB5_PADATA_FX_FAST) != NULL) { + state->fast_state_flags |= KRB5INT_FAST_DO_FAST; + return 1; + } + return 0; +} diff --git a/src/lib/krb5/krb/fast.h b/src/lib/krb5/krb/fast.h index 74b4136..db0aa84 100644 --- a/src/lib/krb5/krb/fast.h +++ b/src/lib/krb5/krb/fast.h @@ -41,6 +41,9 @@ struct krb5int_fast_request_state { krb5_ui_4 fast_options; krb5_int32 nonce; }; +#define KRB5INT_FAST_DO_FAST (1l<<0) /*perform FAST*/ +#define KRB5INT_FAST_ARMOR_AVAIL (1l<<1) + krb5_error_code krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, @@ -84,6 +87,9 @@ krb5_error_code krb5int_fast_verify_nego krb5_kdc_rep *rep, krb5_data *request, krb5_keyblock *decrypting_key, krb5_boolean *fast_avail); +krb5_boolean krb5int_upgrade_to_fast_p +(krb5_context context, struct krb5int_fast_request_state *state, krb5_pa_data **padata); + |