+2003-03-02 Sam Hartman <hartmans@mit.edu>
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Deal with
+ creds without rcache available. They will be slower.
+
+ * add_cred.c (krb5_gss_add_cred): Deal with princ being null
+
+ * accept_sec_context.c (krb5_gss_accept_sec_context): Populate
+ ctx->here from ticket->server instead of cred->princ. If
+ cred->princ exists it will be the same, but the previous change
+ may make it null
+
+ * inq_cred.c (krb5_gss_inquire_cred): Allow for null princ
+ component of credentials
+
+ * acquire_cred.c: When acquiring acceptor credentials, allow
+ GSS_C_NO_NAME to mean that we accept any credential. In this case
+ we do not look to see if the principal is found in the keytab and
+ we leave princ null in the context. This means you get
+ GSS_C_NO_NAME out from inquire_cred. If cred->princ is null
+ don't set up a rcache
+
2003-03-01 Tom Yu <tlyu@mit.edu>
* accept_sec_context.c (krb5_gss_accept_sec_context): Don't
}
krb5_auth_con_setflags(context, auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
- if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
- major_status = GSS_S_FAILURE;
- goto fail;
+ if (cred->rcache) {
+ if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
}
if ((code = krb5_auth_con_setaddrs(context, auth_context, NULL, paddr))) {
major_status = GSS_S_FAILURE;
goto fail;
}
- if ((code = krb5_copy_principal(context, cred->princ, &ctx->here))) {
+ if ((code = krb5_copy_principal(context, ticket->server, &ctx->here))) {
major_status = GSS_S_FAILURE;
goto fail;
}
return(GSS_S_CRED_UNAVAIL);
}
- /* figure out what principal to use. If the default name is
- requested, use the default sn2princ output */
-
- if (desired_name == (gss_name_t) NULL) {
- if ((code = krb5_sname_to_principal(context, NULL, NULL, KRB5_NT_SRV_HST,
- &princ))) {
- (void) krb5_kt_close(context, kt);
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
- *output_princ = princ;
- } else {
- princ = (krb5_principal) desired_name;
- }
-
- if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
+if (desired_name != GSS_C_NO_NAME) {
+ princ = (krb5_principal) desired_name;
+ if ((code = krb5_kt_get_entry(context, kt, princ, 0, 0, &entry))) {
(void) krb5_kt_close(context, kt);
if (code == KRB5_KT_NOTFOUND)
- *minor_status = KG_KEYTAB_NOMATCH;
+ *minor_status = KG_KEYTAB_NOMATCH;
else
- *minor_status = code;
+ *minor_status = code;
return(GSS_S_CRED_UNAVAIL);
- }
- krb5_kt_free_entry(context, &entry);
+ }
+ krb5_kt_free_entry(context, &entry);
- /* hooray. we made it */
+ /* Open the replay cache for this principal. */
+ if ((code = krb5_get_server_rcache(context,
+ krb5_princ_component(context, princ, 0),
+ &cred->rcache))) {
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
- cred->keytab = kt;
+}
- /* Open the replay cache for this principal. */
- if ((code = krb5_get_server_rcache(context,
- krb5_princ_component(context, princ, 0),
- &cred->rcache))) {
- *minor_status = code;
- return(GSS_S_FAILURE);
- }
+/* hooray. we made it */
+
+ cred->keytab = kt;
return(GSS_S_COMPLETE);
}
/* if the princ wasn't filled in already, fill it in now */
- if (!cred->princ)
+ if (!cred->princ && (desired_name != GSS_C_NO_CREDENTIAL))
if ((code = krb5_copy_principal(context, (krb5_principal) desired_name,
&(cred->princ)))) {
if (cred->ccache)
new_cred->rfc_mech = cred->rfc_mech;
new_cred->tgt_expire = cred->tgt_expire;
- code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
+ if (cred->princ)
+ code = krb5_copy_principal(context, cred->princ, &new_cred->princ);
if (code) {
xfree(new_cred);
if (cred->keytab) {
kttype = krb5_kt_get_type(context, cred->keytab);
if ((strlen(kttype)+2) > sizeof(ktboth)) {
- krb5_free_principal(context, new_cred->princ);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
xfree(new_cred);
*minor_status = ENOMEM;
ktboth+strlen(ktboth),
sizeof(ktboth)-strlen(ktboth));
if (code) {
- krb5_free_principal(context, new_cred->princ);
+ if(new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
xfree(new_cred);
*minor_status = code;
code = krb5_kt_resolve(context, ktboth, &new_cred->keytab);
if (code) {
+ if (new_cred->princ)
krb5_free_principal(context, new_cred->princ);
xfree(new_cred);
&new_cred->rcache))) {
if (new_cred->keytab)
krb5_kt_close(context, new_cred->keytab);
- krb5_free_principal(context, new_cred->princ);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
xfree(new_cred);
*minor_status = code;
krb5_rc_close(context, new_cred->rcache);
if (new_cred->keytab)
krb5_kt_close(context, new_cred->keytab);
+ if (new_cred->princ)
krb5_free_principal(context, new_cred->princ);
xfree(new_cred);
krb5_rc_close(context, new_cred->rcache);
if (new_cred->keytab)
krb5_kt_close(context, new_cred->keytab);
- krb5_free_principal(context, new_cred->princ);
+ if (new_cred->princ)
+ krb5_free_principal(context, new_cred->princ);
xfree(new_cred);
*minor_status = code;
krb5_rc_close(context, new_cred->rcache);
if (new_cred->keytab)
krb5_kt_close(context, new_cred->keytab);
+ if (new_cred->princ)
krb5_free_principal(context, new_cred->princ);
xfree(new_cred);
lifetime = GSS_C_INDEFINITE;
if (name) {
- if ((code = krb5_copy_principal(context, cred->princ, &ret_name))) {
+ if (cred->princ &&
+ (code = krb5_copy_principal(context, cred->princ, &ret_name))) {
*minor_status = code;
return(GSS_S_FAILURE);
}
+2003-03-02 Sam Hartman <hartmans@mit.edu>
+
+ * srv_rcache.c (krb5_get_server_rcache): If punctuation or graphic characters in replay ccache name then use escaping
+
+ * rd_req.c (krb5_rd_req): Allow initializing the replay cache from the ticket
+
2003-02-25 Tom Yu <tlyu@mit.edu>
* gic_pwd.c (krb5_get_init_creds_password): Don't pass a NULL
*auth_context = new_auth_context;
}
+ if (!server) {
+ server = request->ticket->server;
+ }
/* Get an rcache if necessary. */
if (((*auth_context)->rcache == NULL) && server) {
if ((retval = krb5_get_server_rcache(context,
#include <ctype.h>
#include <stdio.h>
+/* Macro for valid RC name characters*/
+#define isinvalidrcname(x) (isgraph(x)||ispunct(x))
krb5_error_code KRB5_CALLCONV
krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache *rcptr)
{
for (i = 0; i < piece->length; i++) {
if (piece->data[i] == '\\')
len++;
- else if (!isgraph((int) piece->data[i]))
+ else if (!isinvalidrcname((int) piece->data[i]))
len += 3;
}
cachename[p++] = '\\';
continue;
}
- if (!isgraph((int) piece->data[i])) {
+ if (!isinvalidrcname((int) piece->data[i])) {
sprintf(tmp, "%03o", piece->data[i]);
cachename[p++] = '\\';
cachename[p++] = tmp[0];
projects / krb5.git / commitdiff