diff options
| author | Sam Hartman <hartmans@mit.edu> | 2009-11-24 01:14:04 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2009-11-24 01:14:04 +0000 |
| commit | d0a1138ac5479a7d197a9b778d62a3928292ecbb (patch) | |
| tree | 1969ca0cfc308cc67603fc61465610a12b195e75 | |
| parent | 22e3cd04b19e0b766977dd3474ecbe14d88f7743 (diff) | |
| download | krb5-d0a1138ac5479a7d197a9b778d62a3928292ecbb.zip krb5-d0a1138ac5479a7d197a9b778d62a3928292ecbb.tar.gz krb5-d0a1138ac5479a7d197a9b778d62a3928292ecbb.tar.bz2 | |
If FAST is available and an armor ticket is supplied, use it; otherwise do not unless KRB5_FAST_REQUIRED is set
* KRB5_FAST_REQUIRED: new FAST flag
* krb5int_fast_as_armor: examine negotiation state
As a result of this change cross-realm armor tickets will generally
not be used unless KRB5_FAST_REQUIRED is set in the gic_options.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/hartmans/fast-negotiate@23337 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/include/krb5/krb5.hin | 3 | ||||
| -rw-r--r-- | src/lib/krb5/krb/fast.c | 31 |
2 files changed, 28 insertions, 6 deletions
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 24e7173..5f7cc6d 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -2289,6 +2289,9 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_get_fast_flags (krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags); +/* Fast flags*/ +#define KRB5_FAST_REQUIRED 1l<<0 /*!< Require KDC to support FAST*/ + krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, krb5_principal client, char *password, diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index d1db099..9e250d4 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -56,7 +56,7 @@ static krb5_error_code fast_armor_ap_request(krb5_context context, struct krb5int_fast_request_state *state, - krb5_ccache ccache, krb5_data *target_realm) + krb5_ccache ccache, krb5_principal target_principal) { krb5_error_code retval = 0; krb5_creds creds, *out_creds = NULL; @@ -66,9 +66,8 @@ fast_armor_ap_request(krb5_context context, krb5_keyblock *subkey = NULL, *armor_key = NULL; encoded_authenticator.data = NULL; memset(&creds, 0, sizeof(creds)); - retval = krb5_tgtname(context, target_realm, target_realm, &creds.server); - if (retval ==0) - retval = krb5_cc_get_principal(context, ccache, &creds.client); + creds.server = target_principal; + retval = krb5_cc_get_principal(context, ccache, &creds.client); if (retval == 0) retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); if (retval == 0) @@ -98,6 +97,8 @@ fast_armor_ap_request(krb5_context context, krb5_free_keyblock(context, subkey); if (out_creds) krb5_free_creds(context, out_creds); + /*target_principal is owned by caller*/ + creds.server = NULL; krb5_free_cred_contents(context, &creds); if (encoded_authenticator.data) krb5_free_data_contents(context, &encoded_authenticator); @@ -138,13 +139,29 @@ krb5int_fast_as_armor(krb5_context context, { krb5_error_code retval = 0; krb5_ccache ccache = NULL; + krb5_principal target_principal = NULL; + krb5_data *target_realm; krb5_clear_error_message(context); + target_realm = krb5_princ_realm(context, request->server); if (opte->opt_private->fast_ccache_name) { retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, &ccache); - if (retval==0) + if (retval == 0) + retval = krb5_tgtname(context, target_realm, target_realm, &target_principal); + if (retval == 0) { + krb5_data config_data; + config_data.data = NULL; + retval = krb5_cc_get_config(context, ccache, + target_principal, KRB5_CCCONF_FAST_AVAIL, + &config_data); + if ((retval == 0) && config_data.data ) + opte->opt_private->fast_flags |= KRB5_FAST_REQUIRED; + krb5_free_data_contents(context, &config_data); + retval = 0; + } + if (retval==0 && (opte->opt_private->fast_flags &KRB5_FAST_REQUIRED)) retval = fast_armor_ap_request(context, state, ccache, - krb5_princ_realm(context, request->server)); +target_principal); if (retval != 0) { const char * errmsg; errmsg = krb5_get_error_message(context, retval); @@ -156,6 +173,8 @@ krb5int_fast_as_armor(krb5_context context, } if (ccache) krb5_cc_close(context, ccache); + if (target_principal) + krb5_free_principal(context, target_principal); return retval; } |