Fix several bugs in gss-krb5 inq_cred
authorGreg Hudson <ghudson@mit.edu>
Tue, 6 Sep 2011 15:14:10 +0000 (15:14 +0000)
committerGreg Hudson <ghudson@mit.edu>
Tue, 6 Sep 2011 15:14:10 +0000 (15:14 +0000)
cred could be used uninitialized if krb5_timeofday() failed.  defcred
had the wrong type.  kg_cred_resolve() should be used instead of
krb5_gss_validate_cred() to do delayed name/ccache resolution and get
a lock.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25164 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/gssapi/krb5/inq_cred.c

index f523a545cfe4db588d81823b8f3b0469c358d216..057e51bfa17b8c43725b8b071209c3e54e436ea4 100644 (file)
@@ -83,7 +83,8 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     gss_OID_set *mechanisms;
 {
     krb5_context context;
-    krb5_gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL, cred;
+    gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
+    krb5_gss_cred_id_t cred = NULL;
     krb5_error_code code;
     krb5_timestamp now;
     krb5_deltat lifetime;
@@ -104,12 +105,6 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     if (name) *name = NULL;
     if (mechanisms) *mechanisms = NULL;
 
-    if ((code = krb5_timeofday(context, &now))) {
-        *minor_status = code;
-        ret = GSS_S_FAILURE;
-        goto fail;
-    }
-
     /* check for default credential */
     /*SUPPRESS 29*/
     if (cred_handle == GSS_C_NO_CREDENTIAL) {
@@ -121,7 +116,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
         cred_handle = defcred;
     }
 
-    major = krb5_gss_validate_cred(minor_status, cred_handle);
+    major = kg_cred_resolve(minor_status, context, cred_handle, GSS_C_NO_NAME);
     if (GSS_ERROR(major)) {
         krb5_gss_release_cred(minor_status, &defcred);
         krb5_free_context(context);
@@ -129,6 +124,12 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
     }
     cred = (krb5_gss_cred_id_t)cred_handle;
 
+    if ((code = krb5_timeofday(context, &now))) {
+        *minor_status = code;
+        ret = GSS_S_FAILURE;
+        goto fail;
+    }
+
     if (cred->tgt_expire > 0) {
         if ((lifetime = cred->tgt_expire - now) < 0)
             lifetime = 0;