The mechglue always passes null for desired_mechs and actual_mechs
authorGreg Hudson <ghudson@mit.edu>
Mon, 17 May 2010 20:01:29 +0000 (20:01 +0000)
committerGreg Hudson <ghudson@mit.edu>
Mon, 17 May 2010 20:01:29 +0000 (20:01 +0000)
when invoking gss_acquire_cred and friends.  Eliminate a lot of unused
and untestable logic in the krb5 mech which processed those arguments.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24051 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/gssapi/krb5/accept_sec_context.c
src/lib/gssapi/krb5/acquire_cred.c
src/lib/gssapi/krb5/gssapiP_krb5.h
src/lib/gssapi/krb5/iakerb.c
src/lib/gssapi/krb5/init_sec_context.c
src/lib/gssapi/krb5/inq_cred.c
src/lib/gssapi/krb5/s4u_gss_glue.c

index 368ef21be3e30ac2056d2ad5707084788c776cae..2d70646907597af964fa0af2b09d30a0efe38558 100644 (file)
@@ -149,10 +149,8 @@ create_constrained_deleg_creds(OM_uint32 *minor_status,
                                          verifier_cred_handle,
                                          &krb_creds,
                                          GSS_C_INDEFINITE,
-                                         GSS_C_NO_OID_SET,
                                          out_cred,
                                          NULL,
-                                         NULL,
                                          context);
 
     krb5_free_data(context, data);
@@ -252,8 +250,6 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred)
 
         cred->usage = GSS_C_INITIATE; /* we can't accept with this */
         /* cred->name already set */
-        cred->prerfc_mech = 1; /* this cred will work with all three mechs */
-        cred->rfc_mech = 1;
         cred->keytab = NULL; /* no keytab associated with this... */
         cred->tgt_expire = creds[0]->times.endtime; /* store the end time */
         cred->ccache = ccache; /* the ccache containing the credential */
index 88b739e97f0591cceacc62baf0e56f0da5d22344..28e25052abd7547112282b89381f0755126f5c13 100644 (file)
@@ -483,24 +483,18 @@ acquire_init_cred(krb5_context context,
 /*ARGSUSED*/
 static OM_uint32
 acquire_cred(minor_status, desired_name, password, time_req,
-             desired_mechs, cred_usage, output_cred_handle,
-             actual_mechs, time_rec, req_iakerb)
+             cred_usage, output_cred_handle, time_rec, req_iakerb)
     OM_uint32 *minor_status;
     const gss_name_t desired_name;
     const gss_buffer_t password;
     OM_uint32 time_req;
-    const gss_OID_set desired_mechs;
     gss_cred_usage_t cred_usage;
     gss_cred_id_t *output_cred_handle;
-    gss_OID_set *actual_mechs;
     OM_uint32 *time_rec;
     int req_iakerb;
 {
     krb5_context context = NULL;
-    size_t i;
     krb5_gss_cred_id_t cred = NULL;
-    gss_OID_set ret_mechs = GSS_C_NO_OID_SET;
-    int req_old, req_new;
     OM_uint32 ret;
     krb5_error_code code = 0;
 
@@ -515,8 +509,6 @@ acquire_cred(minor_status, desired_name, password, time_req,
     /* make sure all outputs are valid */
 
     *output_cred_handle = NULL;
-    if (actual_mechs)
-        *actual_mechs = NULL;
     if (time_rec)
         *time_rec = 0;
 
@@ -529,29 +521,6 @@ acquire_cred(minor_status, desired_name, password, time_req,
         goto krb_error_out;
     }
 
-    /* verify that the requested mechanism set is the default, or
-       contains krb5 */
-
-    if (desired_mechs == GSS_C_NULL_OID_SET) {
-        req_old = 1;
-        req_new = 1;
-    } else {
-        req_old = 0;
-        req_new = 0;
-
-        for (i=0; i<desired_mechs->count; i++) {
-            if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i])))
-                req_old++;
-            if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i])))
-                req_new++;
-        }
-
-        if (!req_old && !req_new) {
-            ret = GSS_S_BAD_MECH;
-            goto error_out;
-        }
-    }
-
     /* create the gss cred structure */
     cred = k5alloc(sizeof(krb5_gss_cred_id_rec), &code);
     if (code != 0)
@@ -559,8 +528,6 @@ acquire_cred(minor_status, desired_name, password, time_req,
 
     cred->usage = cred_usage;
     cred->name = NULL;
-    cred->prerfc_mech = (req_old != 0) && (req_iakerb == 0);
-    cred->rfc_mech = (req_new != 0) && (req_iakerb == 0);
     cred->iakerb_mech = req_iakerb;
     cred->default_identity = (desired_name == GSS_C_NO_NAME);
 
@@ -639,27 +606,6 @@ acquire_cred(minor_status, desired_name, password, time_req,
             *time_rec = (cred->tgt_expire > now) ? (cred->tgt_expire - now) : 0;
     }
 
-    /* create mechs */
-
-    if (actual_mechs) {
-        if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
-                                                             &ret_mechs)) ||
-            (cred->prerfc_mech &&
-             GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-                                                            gss_mech_krb5_old,
-                                                            &ret_mechs))) ||
-            (cred->rfc_mech &&
-             GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-                                                            gss_mech_krb5,
-                                                            &ret_mechs))) ||
-            (cred->iakerb_mech &&
-             GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-                                                            gss_mech_iakerb,
-                                                            &ret_mechs)))) {
-            goto error_out;
-        }
-    }
-
     /* intern the credential handle */
 
     if (! kg_save_cred_id((gss_cred_id_t) cred)) {
@@ -671,8 +617,6 @@ acquire_cred(minor_status, desired_name, password, time_req,
 
     *minor_status = 0;
     *output_cred_handle = (gss_cred_id_t) cred;
-    if (actual_mechs)
-        *actual_mechs = ret_mechs;
 
     krb5_free_context(context);
     return(GSS_S_COMPLETE);
@@ -682,10 +626,6 @@ krb_error_out:
     ret = GSS_S_FAILURE;
 
 error_out:
-    if (ret_mechs != GSS_C_NO_OID_SET) {
-        free(ret_mechs->elements);
-        free(ret_mechs);
-    }
     if (cred != NULL) {
         if (cred->ccache)
             (void)krb5_cc_close(context, cred->ccache);
@@ -748,6 +688,11 @@ gss_krb5int_set_cred_rcache(OM_uint32 *minor_status,
     return GSS_S_COMPLETE;
 }
 
+/*
+ * krb5 and IAKERB mech API functions follow.  The mechglue always passes null
+ * desired_mechs and actual_mechs, so we ignore those parameters.
+ */
+
 OM_uint32
 krb5_gss_acquire_cred(minor_status, desired_name, time_req,
                       desired_mechs, cred_usage, output_cred_handle,
@@ -762,9 +707,7 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
     OM_uint32 *time_rec;
 {
     return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER,
-                        time_req, desired_mechs,
-                        cred_usage, output_cred_handle, actual_mechs,
-                        time_rec, 0);
+                        time_req, cred_usage, output_cred_handle, time_rec, 0);
 }
 
 OM_uint32
@@ -781,9 +724,7 @@ iakerb_gss_acquire_cred(minor_status, desired_name, time_req,
     OM_uint32 *time_rec;
 {
     return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER,
-                        time_req, desired_mechs,
-                        cred_usage, output_cred_handle, actual_mechs,
-                        time_rec, 1);
+                        time_req, cred_usage, output_cred_handle, time_rec, 1);
 }
 
 OM_uint32
@@ -798,9 +739,7 @@ krb5_gss_acquire_cred_with_password(OM_uint32 *minor_status,
                                     OM_uint32 *time_rec)
 {
     return acquire_cred(minor_status, desired_name, password,
-                        time_req, desired_mechs,
-                        cred_usage, output_cred_handle, actual_mechs,
-                        time_rec, 0);
+                        time_req, cred_usage, output_cred_handle, time_rec, 0);
 }
 
 OM_uint32
@@ -815,8 +754,5 @@ iakerb_gss_acquire_cred_with_password(OM_uint32 *minor_status,
                                       OM_uint32 *time_rec)
 {
     return acquire_cred(minor_status, desired_name, password,
-                        time_req, desired_mechs,
-                        cred_usage, output_cred_handle, actual_mechs,
-                        time_rec, 1);
+                        time_req, cred_usage, output_cred_handle, time_rec, 1);
 }
-
index d3a290c1ee683823ad4ce455a99408e0cd4f19c1..573d3150cbe06100fa768f08791ba938164911e7 100644 (file)
@@ -170,8 +170,6 @@ typedef struct _krb5_gss_cred_id_rec {
     /* name/type of credential */
     gss_cred_usage_t usage;
     krb5_gss_name_t name;
-    unsigned int prerfc_mech : 1;
-    unsigned int rfc_mech : 1;
     unsigned int proxy_cred : 1;
     unsigned int default_identity : 1;
     unsigned int iakerb_mech : 1;
@@ -492,25 +490,6 @@ krb5_to_gss_cred(krb5_context context,
                  krb5_creds *creds,
                  krb5_gss_cred_id_t *out_cred);
 
-OM_uint32
-kg_new_connection(
-    OM_uint32 *minor_status,
-    krb5_gss_cred_id_t cred,
-    gss_ctx_id_t *context_handle,
-    gss_name_t target_name,
-    gss_OID mech_type,
-    OM_uint32 req_flags,
-    OM_uint32 time_req,
-    gss_channel_bindings_t input_chan_bindings,
-    gss_buffer_t input_token,
-    gss_OID *actual_mech_type,
-    gss_buffer_t output_token,
-    OM_uint32 *ret_flags,
-    OM_uint32 *time_rec,
-    krb5_context context,
-    int default_mech,
-    krb5_gss_ctx_ext_t exts);
-
 /** declarations of internal name mechanism functions **/
 
 OM_uint32 krb5_gss_acquire_cred
@@ -1006,9 +985,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
                       krb5_gss_cred_id_t impersonator_cred,
                       krb5_creds *subject_creds,
                       OM_uint32 time_req,
-                      const gss_OID_set desired_mechs,
                       krb5_gss_cred_id_t *output_cred,
-                      gss_OID_set *actual_mechs,
                       OM_uint32 *time_rec,
                       krb5_context context);
 
index 6ee0c73dcb3f1a47bd10e3809d40c62965e403f2..0a86fa56a7f5e6f57af0618ff6c93a72475352b4 100644 (file)
@@ -902,7 +902,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
     gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
     krb5_gss_cred_id_t kcred;
     krb5_gss_name_t kname;
-    int credLocked = 0;
+    krb5_boolean cred_locked = FALSE;
     int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
 
     if (initialContextToken) {
@@ -929,14 +929,14 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
         if (GSS_ERROR(major_status))
             goto cleanup;
 
-        credLocked = 1;
+        cred_locked = TRUE;
         kcred = (krb5_gss_cred_id_t)claimant_cred_handle;
     } else {
-        major_status = iakerb_gss_acquire_cred(minor_status, NULL,
-                                               GSS_C_INDEFINITE,
-                                               GSS_C_NULL_OID_SET,
-                                               GSS_C_INITIATE,
-                                               &defcred, NULL, NULL);
+        major_status = krb5_gss_acquire_cred(minor_status, NULL,
+                                             GSS_C_INDEFINITE,
+                                             GSS_C_NULL_OID_SET,
+                                             GSS_C_INITIATE,
+                                             &defcred, NULL, NULL);
         if (GSS_ERROR(major_status))
             goto cleanup;
         kcred = (krb5_gss_cred_id_t)defcred;
@@ -973,13 +973,9 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
     if (ctx->state == IAKERB_AP_REQ) {
         krb5_gss_ctx_ext_rec exts;
 
-        /* Ensure cred is marked as usable for Kerberos mechanism */
-        if (kcred != NULL) {
-            if (kcred->iakerb_mech)
-                kcred->rfc_mech = 1;
-
+        if (cred_locked) {
             k5_mutex_unlock(&kcred->lock);
-            credLocked = 0;
+            cred_locked = FALSE;
         }
 
         iakerb_make_exts(ctx, &exts);
@@ -1018,7 +1014,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
     }
 
 cleanup:
-    if (credLocked)
+    if (cred_locked)
         k5_mutex_unlock(&kcred->lock);
     if (initialContextToken && GSS_ERROR(major_status)) {
         iakerb_release_context(ctx);
index a7bff2f5d7670a6e074bc71d25a7868e03ae96b9..25cee16f0a2f71d2c7f621e9117ba5bdc7834998 100644 (file)
@@ -505,7 +505,7 @@ cleanup:
  *
  * Do the grunt work of setting up a new context.
  */
-OM_uint32
+static OM_uint32
 kg_new_connection(
     OM_uint32 *minor_status,
     krb5_gss_cred_id_t cred,
@@ -521,7 +521,6 @@ kg_new_connection(
     OM_uint32 *ret_flags,
     OM_uint32 *time_rec,
     krb5_context context,
-    int default_mech,
     krb5_gss_ctx_ext_t exts)
 {
     OM_uint32 major_status;
@@ -621,10 +620,6 @@ kg_new_connection(
         && (k_cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE))
         ctx->gss_flags |= GSS_C_DELEG_FLAG | GSS_C_DELEG_POLICY_FLAG;
 
-    if (default_mech) {
-        mech_type = (gss_OID) gss_mech_krb5;
-    }
-
     if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
         != GSS_S_COMPLETE) {
         code = *minor_status;
@@ -944,9 +939,7 @@ krb5_gss_init_sec_context_ext(
 {
     krb5_context context;
     krb5_gss_cred_id_t cred;
-    int err;
     krb5_error_code kerr;
-    int default_mech = 0;
     OM_uint32 major_status;
     OM_uint32 tmp_min_stat;
 
@@ -1013,33 +1006,13 @@ krb5_gss_init_sec_context_ext(
 
     /* verify the mech_type */
 
-    err = 0;
-    if (mech_type == GSS_C_NULL_OID) {
-        default_mech = 1;
-        if (cred->rfc_mech) {
-            mech_type = (gss_OID) gss_mech_krb5;
-        } else if (cred->prerfc_mech) {
-            mech_type = (gss_OID) gss_mech_krb5_old;
-        } else {
-            err = 1;
-        }
-    } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
+    if (mech_type == GSS_C_NULL_OID || g_OID_equal(mech_type, gss_mech_krb5)) {
         mech_type = (gss_OID) gss_mech_krb5;
-        if (!cred->rfc_mech)
-            err = 1;
     } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
         mech_type = (gss_OID) gss_mech_krb5_old;
-        if (!cred->prerfc_mech)
-            err = 1;
     } else if (g_OID_equal(mech_type, gss_mech_krb5_wrong)) {
         mech_type = (gss_OID) gss_mech_krb5_wrong;
-        if (!cred->rfc_mech)
-            err = 1;
     } else {
-        err = 1;
-    }
-
-    if (err) {
         k5_mutex_unlock(&cred->lock);
         if (claimant_cred_handle == GSS_C_NO_CREDENTIAL)
             krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred);
@@ -1058,7 +1031,7 @@ krb5_gss_init_sec_context_ext(
                                          time_req, input_chan_bindings,
                                          input_token, actual_mech_type,
                                          output_token, ret_flags, time_rec,
-                                         context, default_mech, exts);
+                                         context, exts);
         k5_mutex_unlock(&cred->lock);
         if (*context_handle == GSS_C_NO_CONTEXT) {
             save_error_info (*minor_status, context);
index 8083b27cce4b2936a4667940843398e206cf2cc1..b97ed89aa2e1a74b912c4e03456cd375464df5d7 100644 (file)
@@ -159,18 +159,12 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     if (mechanisms) {
         if (GSS_ERROR(ret = generic_gss_create_empty_oid_set(minor_status,
                                                              &mechs)) ||
-            (cred->prerfc_mech &&
-             GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-                                                            gss_mech_krb5_old,
-                                                            &mechs))) ||
-            (cred->rfc_mech &&
-             GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-                                                            gss_mech_krb5,
-                                                            &mechs))) ||
-            (cred->iakerb_mech &&
-             GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-                                                            gss_mech_iakerb,
-                                                            &mechs)))) {
+            GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+                                                           gss_mech_krb5_old,
+                                                           &mechs)) ||
+            GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
+                                                           gss_mech_krb5,
+                                                           &mechs))) {
             k5_mutex_unlock(&cred->lock);
             if (ret_name)
                 kg_release_name(context, KG_INIT_NAME_INTERN, &ret_name);
index c47a15d200b92078c8d26b49b459c69e5f4ffb52..cecbbb0c073dcbe1163dc75c9ed9abdeb93f0a9a 100644 (file)
 #endif
 #include <assert.h>
 
-static OM_uint32
-kg_set_desired_mechs(OM_uint32 *minor_status,
-                     const gss_OID_set desired_mechs,
-                     krb5_gss_cred_id_t cred)
-{
-    unsigned int i;
-
-    if (desired_mechs == GSS_C_NULL_OID_SET) {
-        cred->prerfc_mech = 1;
-        cred->rfc_mech = 1;
-    } else {
-        cred->prerfc_mech = 0;
-        cred->rfc_mech = 0;
-
-        for (i = 0; i < desired_mechs->count; i++) {
-            if (g_OID_equal(gss_mech_krb5_old, &desired_mechs->elements[i]))
-                cred->prerfc_mech = 1;
-            else if (g_OID_equal(gss_mech_krb5, &desired_mechs->elements[i]))
-                cred->rfc_mech = 1;
-        }
-
-        if (!cred->prerfc_mech && !cred->rfc_mech) {
-            *minor_status = 0;
-            return GSS_S_BAD_MECH;
-        }
-    }
-
-    return GSS_S_COMPLETE;
-}
-
-static OM_uint32
-kg_return_mechs(OM_uint32 *minor_status,
-                krb5_gss_cred_id_t cred,
-                gss_OID_set *actual_mechs)
-{
-    OM_uint32 major_status, minor;
-    gss_OID_set mechs;
-
-    if (actual_mechs == NULL)
-        return GSS_S_COMPLETE;
-
-    major_status = generic_gss_create_empty_oid_set(minor_status, &mechs);
-    if (GSS_ERROR(major_status))
-        return major_status;
-
-    if (cred->prerfc_mech) {
-        major_status = generic_gss_add_oid_set_member(minor_status,
-                                                      gss_mech_krb5_old,
-                                                      &mechs);
-        if (GSS_ERROR(major_status)) {
-            generic_gss_release_oid_set(&minor, &mechs);
-            return major_status;
-        }
-    }
-    if (cred->rfc_mech) {
-        major_status = generic_gss_add_oid_set_member(minor_status,
-                                                      gss_mech_krb5,
-                                                      &mechs);
-        if (GSS_ERROR(major_status)) {
-            generic_gss_release_oid_set(&minor, &mechs);
-            return major_status;
-        }
-    }
-
-    *actual_mechs = mechs;
-
-    return GSS_S_COMPLETE;
-}
-
 static int
 kg_is_initiator_cred(krb5_gss_cred_id_t cred)
 {
@@ -111,9 +42,7 @@ kg_impersonate_name(OM_uint32 *minor_status,
                     const krb5_gss_cred_id_t impersonator_cred,
                     const krb5_gss_name_t user,
                     OM_uint32 time_req,
-                    const gss_OID_set desired_mechs,
                     krb5_gss_cred_id_t *output_cred,
-                    gss_OID_set *actual_mechs,
                     OM_uint32 *time_rec,
                     krb5_context context)
 {
@@ -165,9 +94,7 @@ kg_impersonate_name(OM_uint32 *minor_status,
                                          impersonator_cred,
                                          out_creds,
                                          time_req,
-                                         desired_mechs,
                                          output_cred,
-                                         actual_mechs,
                                          time_rec,
                                          context);
 
@@ -177,6 +104,7 @@ kg_impersonate_name(OM_uint32 *minor_status,
     return major_status;
 }
 
+/* The mechglue always passes null desired_mechs and actual_mechs. */
 OM_uint32
 krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
                                        const gss_cred_id_t impersonator_cred_handle,
@@ -208,8 +136,6 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
     }
 
     *output_cred_handle = GSS_C_NO_CREDENTIAL;
-    if (actual_mechs != NULL)
-        *actual_mechs = GSS_C_NO_OID_SET;
     if (time_rec != NULL)
         *time_rec = 0;
 
@@ -231,9 +157,7 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
                                        (krb5_gss_cred_id_t)impersonator_cred_handle,
                                        (krb5_gss_name_t)desired_name,
                                        time_req,
-                                       desired_mechs,
                                        &cred,
-                                       actual_mechs,
                                        time_rec,
                                        context);
 
@@ -251,9 +175,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
                       krb5_gss_cred_id_t impersonator_cred,
                       krb5_creds *subject_creds,
                       OM_uint32 time_req,
-                      const gss_OID_set desired_mechs,
                       krb5_gss_cred_id_t *output_cred,
-                      gss_OID_set *actual_mechs,
                       OM_uint32 *time_rec,
                       krb5_context context)
 {
@@ -295,10 +217,6 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
     cred->usage = GSS_C_INITIATE;
     cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
 
-    major_status = kg_set_desired_mechs(minor_status, desired_mechs, cred);
-    if (GSS_ERROR(major_status))
-        goto cleanup;
-
     cred->tgt_expire = impersonator_cred->tgt_expire;
 
     code = kg_init_name(context, subject_creds->client, NULL, 0, &cred->name);
@@ -337,10 +255,6 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
         *time_rec = cred->tgt_expire - now;
     }
 
-    major_status = kg_return_mechs(minor_status, cred, actual_mechs);
-    if (GSS_ERROR(major_status))
-        goto cleanup;
-
     if (!kg_save_cred_id((gss_cred_id_t)cred)) {
         code = G_VALIDATE_FAILED;
         goto cleanup;