diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-11-02 00:31:22 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:38 -0500 |
commit | 3b2a6997b43dcfe37adf67c84e564a4fbff5b108 (patch) | |
tree | b346357dacf58cc803e5fa5919199a1791eb20ea /source4/heimdal/lib/gssapi | |
parent | f8ebd5a53ce115b9d9dc6e87e0dbe4cdd6f9b79d (diff) | |
download | samba-3b2a6997b43dcfe37adf67c84e564a4fbff5b108.tar.gz samba-3b2a6997b43dcfe37adf67c84e564a4fbff5b108.tar.bz2 samba-3b2a6997b43dcfe37adf67c84e564a4fbff5b108.zip |
r11452: Update Heimdal to current lorikeet, including removing the ccache side
of the gsskrb5_acquire_cred hack.
Add support for delegated credentials into the auth and credentials
subsystem, and specifically into gensec_gssapi.
Add the CIFS NTVFS handler as a consumer of delegated credentials,
when no user/domain/password is specified.
Andrew Bartlett
(This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
Diffstat (limited to 'source4/heimdal/lib/gssapi')
-rw-r--r-- | source4/heimdal/lib/gssapi/accept_sec_context.c | 38 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/acquire_cred.c | 132 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/copy_ccache.c | 90 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/delete_sec_context.c | 2 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/gssapi.h | 8 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/gssapi_locl.h | 12 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/init_sec_context.c | 46 | ||||
-rw-r--r-- | source4/heimdal/lib/gssapi/release_cred.c | 6 |
8 files changed, 227 insertions, 107 deletions
diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c index 8e354c3136..5d43cdcb43 100644 --- a/source4/heimdal/lib/gssapi/accept_sec_context.c +++ b/source4/heimdal/lib/gssapi/accept_sec_context.c @@ -239,7 +239,7 @@ gsskrb5_acceptor_ready( OM_uint32 ret; int32_t seq_number; int is_cfx = 0; - u_int32_t flags = (*context_handle)->flags; + u_int32_t *flags = &(*context_handle)->flags; krb5_auth_getremoteseqnumber (gssapi_krb5_context, (*context_handle)->auth_context, @@ -249,11 +249,11 @@ gsskrb5_acceptor_ready( ret = _gssapi_msg_order_create(minor_status, &(*context_handle)->order, - _gssapi_msg_order_f(flags), + _gssapi_msg_order_f(*flags), seq_number, 0, is_cfx); if (ret) return ret; - if (!(flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(flags)) { + if (!(*flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(*flags)) { krb5_auth_con_setlocalseqnumber(gssapi_krb5_context, (*context_handle)->auth_context, seq_number); @@ -262,11 +262,14 @@ gsskrb5_acceptor_ready( /* * We should handle the delegation ticket, in case it's there */ - if ((*context_handle)->fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) { + if ((*context_handle)->fwd_data.length > 0 && (*flags & GSS_C_DELEG_FLAG)) { ret = gsskrb5_accept_delegated_token(minor_status, context_handle, delegated_cred_handle); if (ret) return ret; + } else { + /* Well, looks like it wasn't there after all */ + *flags &= ~GSS_C_DELEG_FLAG; } (*context_handle)->state = ACCEPTOR_READY; @@ -297,10 +300,9 @@ gsskrb5_acceptor_start krb5_ticket *ticket = NULL; krb5_keytab keytab = NULL; krb5_keyblock *keyblock = NULL; - krb5_data fwd_data; int is_cfx = 0; - krb5_data_zero (&fwd_data); + krb5_data_zero (&(*context_handle)->fwd_data); /* * We may, or may not, have an escapsulation. @@ -415,7 +417,7 @@ gsskrb5_acceptor_start input_chan_bindings, authenticator->cksum, &flags, - &fwd_data); + &(*context_handle)->fwd_data); krb5_free_authenticator(gssapi_krb5_context, &authenticator); if (ret) { return ret; @@ -461,15 +463,9 @@ gsskrb5_acceptor_start } } - /* - * We need to send the flags back to the caller - */ flags |= GSS_C_TRANS_FLAG; - if (ret_flags) - *ret_flags = flags; - - /* And remember them for later */ + /* Remember the flags */ (*context_handle)->lifetime = ticket->ticket.endtime; (*context_handle)->flags = flags; @@ -491,11 +487,23 @@ gsskrb5_acceptor_start * When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from the client */ if (flags & GSS_C_DCE_STYLE) { + if (ret_flags) { + /* Return flags to caller, but we haven't processed delgations yet */ + *ret_flags = flags & ~GSS_C_DELEG_FLAG; + } + (*context_handle)->state = ACCEPTOR_WAIT_FOR_DCESTYLE; return GSS_S_CONTINUE_NEEDED; } - return gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle); + ret = gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle); + + /* + * We need to send the flags back to the caller + */ + + *ret_flags = (*context_handle)->flags; + return ret; } static OM_uint32 diff --git a/source4/heimdal/lib/gssapi/acquire_cred.c b/source4/heimdal/lib/gssapi/acquire_cred.c index 23c2603352..d67b400920 100644 --- a/source4/heimdal/lib/gssapi/acquire_cred.c +++ b/source4/heimdal/lib/gssapi/acquire_cred.c @@ -33,7 +33,53 @@ #include "gssapi_locl.h" -RCSID("$Id: acquire_cred.c,v 1.23 2005/10/21 12:44:08 lha Exp $"); +RCSID("$Id: acquire_cred.c,v 1.24 2005/10/26 11:25:16 lha Exp $"); + +OM_uint32 +_gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status, + krb5_ccache id, + krb5_principal principal, + OM_uint32 *lifetime) +{ + krb5_creds in_cred, *out_cred; + krb5_const_realm realm; + krb5_error_code kret; + + memset(&in_cred, 0, sizeof(in_cred)); + in_cred.client = principal; + + realm = krb5_principal_get_realm(gssapi_krb5_context, principal); + if (realm == NULL) { + gssapi_krb5_clear_status (); + *minor_status = KRB5_PRINC_NOMATCH; /* XXX */ + return GSS_S_FAILURE; + } + + kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server, + realm, KRB5_TGS_NAME, realm, NULL); + if (kret) { + gssapi_krb5_set_error_string(); + *minor_status = kret; + return GSS_S_FAILURE; + } + + kret = krb5_get_credentials(gssapi_krb5_context, 0, + id, &in_cred, &out_cred); + krb5_free_principal(gssapi_krb5_context, in_cred.server); + if (kret) { + gssapi_krb5_set_error_string(); + *minor_status = kret; + return GSS_S_FAILURE; + } + + *lifetime = out_cred->times.endtime; + krb5_free_creds(gssapi_krb5_context, out_cred); + + return GSS_S_COMPLETE; +} + + + static krb5_error_code get_keytab(krb5_context context, krb5_keytab *keytab) @@ -61,7 +107,6 @@ static OM_uint32 acquire_initiator_cred (OM_uint32 * minor_status, krb5_context context, krb5_keytab keytab, - krb5_ccache ccache, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, @@ -75,10 +120,11 @@ static OM_uint32 acquire_initiator_cred krb5_creds cred; krb5_principal def_princ; krb5_get_init_creds_opt *opt; + krb5_ccache ccache; krb5_error_code kret; - krb5_boolean made_ccache = FALSE; krb5_boolean made_keytab = FALSE; + ccache = NULL; def_princ = NULL; ret = GSS_S_FAILURE; memset(&cred, 0, sizeof(cred)); @@ -86,29 +132,22 @@ static OM_uint32 acquire_initiator_cred /* If we have a preferred principal, lets try to find it in all * caches, otherwise, fall back to default cache. Ignore * errors. */ - if (ccache == NULL && handle->principal) { + if (handle->principal) kret = krb5_cc_cache_match (gssapi_krb5_context, handle->principal, NULL, &ccache); - if (kret) { - ccache = NULL; - } else { - made_ccache = TRUE; - } - } + if (ccache == NULL) { kret = krb5_cc_default(gssapi_krb5_context, &ccache); if (kret) goto end; - made_ccache = TRUE; } kret = krb5_cc_get_principal(context, ccache, &def_princ); if (kret != 0) { /* we'll try to use a keytab below */ krb5_cc_destroy(context, ccache); - made_ccache = FALSE; ccache = NULL; kret = 0; } else if (handle->principal == NULL) { @@ -133,65 +172,41 @@ static OM_uint32 acquire_initiator_cred if (kret) goto end; } - if (keytab != NULL) { - kret = get_keytab(context, &keytab); - if (kret) - goto end; - made_keytab = TRUE; - } - kret = krb5_get_init_creds_opt_alloc(context, &opt); + kret = get_keytab(context, &keytab); + if (kret) + goto end; + kret = krb5_get_init_creds_opt_alloc(gssapi_krb5_context, &opt); if (kret) goto end; - kret = krb5_get_init_creds_keytab(context, &cred, + kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred, handle->principal, keytab, 0, NULL, opt); krb5_get_init_creds_opt_free(opt); if (kret) goto end; - if (ccache == NULL) { - kret = krb5_cc_gen_new(context, &krb5_mcc_ops, - &ccache); - if (kret) - goto end; - made_ccache = TRUE; - } - kret = krb5_cc_initialize(context, ccache, cred.client); + kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops, + &ccache); if (kret) goto end; - kret = krb5_cc_store_cred(context, ccache, &cred); + kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client); if (kret) goto end; - handle->lifetime = cred.times.endtime; - } else { - krb5_creds in_cred, *out_cred; - krb5_const_realm realm; - - memset(&in_cred, 0, sizeof(in_cred)); - in_cred.client = handle->principal; - - realm = krb5_principal_get_realm(context, - handle->principal); - if (realm == NULL) { - kret = KRB5_PRINC_NOMATCH; /* XXX */ - goto end; - } - - kret = krb5_make_principal(context, &in_cred.server, - realm, KRB5_TGS_NAME, realm, NULL); + kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred); if (kret) goto end; + handle->lifetime = cred.times.endtime; + handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE; + } else { - kret = krb5_get_credentials(context, 0, - ccache, &in_cred, &out_cred); - krb5_free_principal(context, in_cred.server); - if (kret) + ret = _gssapi_krb5_ccache_lifetime(minor_status, + ccache, + handle->principal, + &handle->lifetime); + if (ret != GSS_S_COMPLETE) goto end; - - handle->lifetime = out_cred->times.endtime; - krb5_free_creds(context, out_cred); + kret = 0; } handle->ccache = ccache; - handle->made_ccache = made_ccache; ret = GSS_S_COMPLETE; end: @@ -202,8 +217,8 @@ end: if (made_keytab) krb5_kt_close(context, keytab); if (ret != GSS_S_COMPLETE) { - if (made_ccache) - krb5_cc_close(context, ccache); + if (ccache != NULL) + krb5_cc_close(gssapi_krb5_context, ccache); if (kret != 0) { *minor_status = kret; gssapi_krb5_set_error_string (); @@ -255,7 +270,6 @@ end: OM_uint32 gsskrb5_acquire_cred (OM_uint32 * minor_status, struct krb5_keytab_data *keytab, - struct krb5_ccache_data *ccache, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, @@ -314,7 +328,7 @@ OM_uint32 gsskrb5_acquire_cred } if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) { ret = acquire_initiator_cred(minor_status, gssapi_krb5_context, - keytab, ccache, + keytab, desired_name, time_req, desired_mechs, cred_usage, handle, actual_mechs, time_rec); @@ -379,7 +393,7 @@ OM_uint32 gss_acquire_cred ) { return gsskrb5_acquire_cred(minor_status, - NULL, NULL, + NULL, desired_name, time_req, desired_mechs, diff --git a/source4/heimdal/lib/gssapi/copy_ccache.c b/source4/heimdal/lib/gssapi/copy_ccache.c index 828ca64156..0f2f155870 100644 --- a/source4/heimdal/lib/gssapi/copy_ccache.c +++ b/source4/heimdal/lib/gssapi/copy_ccache.c @@ -33,7 +33,7 @@ #include "gssapi_locl.h" -RCSID("$Id: copy_ccache.c,v 1.7 2003/09/01 15:11:09 lha Exp $"); +RCSID("$Id: copy_ccache.c,v 1.9 2005/10/31 16:02:08 lha Exp $"); OM_uint32 gss_krb5_copy_ccache(OM_uint32 *minor_status, @@ -61,6 +61,94 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status, return GSS_S_COMPLETE; } + +OM_uint32 +gss_krb5_import_ccache(OM_uint32 *minor_status, + krb5_ccache in, + gss_cred_id_t *cred) +{ + krb5_error_code kret; + gss_cred_id_t handle; + OM_uint32 ret; + + *cred = NULL; + + GSSAPI_KRB5_INIT (); + + handle = (gss_cred_id_t)calloc(1, sizeof(*handle)); + if (handle == GSS_C_NO_CREDENTIAL) { + gssapi_krb5_clear_status (); + *minor_status = ENOMEM; + return (GSS_S_FAILURE); + } + HEIMDAL_MUTEX_init(&handle->cred_id_mutex); + + handle->usage = GSS_C_INITIATE; + + kret = krb5_cc_get_principal(gssapi_krb5_context, in, &handle->principal); + if (kret) { + free(handle); + gssapi_krb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + + ret = _gssapi_krb5_ccache_lifetime(minor_status, + in, + handle->principal, + &handle->lifetime); + if (ret != GSS_S_COMPLETE) { + krb5_free_principal(gssapi_krb5_context, handle->principal); + free(handle); + return ret; + } + + ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms); + if (ret == GSS_S_COMPLETE) + ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM, + &handle->mechanisms); + if (ret != GSS_S_COMPLETE) { + krb5_free_principal(gssapi_krb5_context, handle->principal); + free(handle); + *minor_status = kret; + return GSS_S_FAILURE; + } + + { + const char *type, *name; + char *str; + + type = krb5_cc_get_type(gssapi_krb5_context, in); + name = krb5_cc_get_name(gssapi_krb5_context, in); + + if (asprintf(&str, "%s:%s", type, name) == -1) { + krb5_set_error_string(gssapi_krb5_context, + "malloc - out of memory"); + kret = ENOMEM; + goto out; + } + + kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache); + free(str); + if (kret) + goto out; + } + + *minor_status = 0; + *cred = handle; + return GSS_S_COMPLETE; + +out: + gssapi_krb5_set_error_string (); + if (handle->principal) + krb5_free_principal(gssapi_krb5_context, handle->principal); + HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex); + free(handle); + *minor_status = kret; + return GSS_S_FAILURE; +} + + OM_uint32 gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, gss_ctx_id_t context_handle, diff --git a/source4/heimdal/lib/gssapi/delete_sec_context.c b/source4/heimdal/lib/gssapi/delete_sec_context.c index 83658fa76c..301197aa4c 100644 --- a/source4/heimdal/lib/gssapi/delete_sec_context.c +++ b/source4/heimdal/lib/gssapi/delete_sec_context.c @@ -66,6 +66,8 @@ OM_uint32 gss_delete_sec_context (*context_handle)->service_keyblock); if((*context_handle)->order) _gssapi_msg_order_destroy(&(*context_handle)->order); + if ((*context_handle)->fwd_data.length > 0) + free((*context_handle)->fwd_data.data); HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex); diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h index 4bf6780daa..64a31d1eee 100644 --- a/source4/heimdal/lib/gssapi/gssapi.h +++ b/source4/heimdal/lib/gssapi/gssapi.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi.h,v 1.37 2005/02/21 08:48:15 lukeh Exp $ */ +/* $Id: gssapi.h,v 1.38 2005/10/26 11:22:13 lha Exp $ */ #ifndef GSSAPI_H_ #define GSSAPI_H_ @@ -778,7 +778,6 @@ OM_uint32 gss_unseal OM_uint32 gsskrb5_acquire_cred (OM_uint32 * minor_status, struct krb5_keytab_data *keytab, - struct krb5_ccache_data *ccache, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, @@ -806,6 +805,11 @@ OM_uint32 gss_krb5_copy_service_keyblock gss_ctx_id_t context_handle, struct EncryptionKey **out); +OM_uint32 +gss_krb5_import_ccache(OM_uint32 */*minor*/, + struct krb5_ccache_data * /*in*/, + gss_cred_id_t */*out*/); + OM_uint32 gss_krb5_get_tkt_flags (OM_uint32 */*minor*/, gss_ctx_id_t /*context_handle*/, diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h index 1d22099877..aa663e87a6 100644 --- a/source4/heimdal/lib/gssapi/gssapi_locl.h +++ b/source4/heimdal/lib/gssapi/gssapi_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: gssapi_locl.h,v 1.41 2005/10/12 15:20:37 lha Exp $ */ +/* $Id: gssapi_locl.h,v 1.42 2005/10/26 11:23:48 lha Exp $ */ #ifndef GSSAPI_LOCL_H #define GSSAPI_LOCL_H @@ -79,12 +79,13 @@ typedef struct gss_ctx_id_t_desc_struct { typedef struct gss_cred_id_t_desc_struct { gss_name_t principal; + int cred_flags; +#define GSS_CF_DESTROY_CRED_ON_RELEASE 1 krb5_boolean made_keytab; struct krb5_keytab_data *keytab; OM_uint32 lifetime; gss_cred_usage_t usage; gss_OID_set mechanisms; - krb5_boolean made_ccache; struct krb5_ccache_data *ccache; HEIMDAL_MUTEX cred_id_mutex; } gss_cred_id_t_desc; @@ -108,7 +109,6 @@ struct gssapi_thr_context { */ krb5_error_code gssapi_krb5_init (void); -krb5_error_code gssapi_krb5_init_ev (void *event_context); #define GSSAPI_KRB5_INIT() do { \ krb5_error_code kret_gss_init; \ @@ -271,6 +271,10 @@ _gss_check_compat(OM_uint32 *, gss_name_t, const char *, OM_uint32 gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *); +OM_uint32 +_gssapi_krb5_ccache_lifetime(OM_uint32 *, krb5_ccache, + krb5_principal, OM_uint32 *); + /* sequence */ OM_uint32 diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c index 93e8d44c86..b8eb748bf5 100644 --- a/source4/heimdal/lib/gssapi/init_sec_context.c +++ b/source4/heimdal/lib/gssapi/init_sec_context.c @@ -162,7 +162,7 @@ _gsskrb5_create_ctx( static OM_uint32 gsskrb5_get_creds( OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, + krb5_ccache ccache, gss_ctx_id_t * context_handle, const gss_name_t target_name, OM_uint32 time_req, @@ -172,22 +172,10 @@ gsskrb5_get_creds( OM_uint32 ret; krb5_error_code kret; krb5_creds this_cred; - krb5_ccache ccache = NULL; OM_uint32 lifetime_rec; *cred = NULL; - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { - kret = krb5_cc_default (gssapi_krb5_context, &ccache); - if (kret) { - gssapi_krb5_set_error_string (); - *minor_status = kret; - return GSS_S_FAILURE; - } - } else { - ccache = initiator_cred_handle->ccache; - } - kret = krb5_cc_get_principal(gssapi_krb5_context, ccache, &(*context_handle)->source); @@ -246,10 +234,6 @@ gsskrb5_get_creds( if (time_rec) *time_rec = lifetime_rec; - if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { - krb5_cc_close(gssapi_krb5_context, ccache); - } - return GSS_S_COMPLETE; } @@ -351,7 +335,7 @@ do_delegation (krb5_auth_context ac, static OM_uint32 gsskrb5_initiator_start (OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, + krb5_ccache ccache, gss_ctx_id_t * context_handle, const gss_name_t target_name, const gss_OID mech_type, @@ -369,7 +353,6 @@ gsskrb5_initiator_start krb5_flags ap_options; krb5_creds *cred = NULL; krb5_data outbuf; - krb5_ccache ccache = NULL; u_int32_t flags; krb5_data authenticator; Checksum cksum; @@ -383,7 +366,7 @@ gsskrb5_initiator_start /* We need to get the credentials for the requested target */ ret = gsskrb5_get_creds(minor_status, - initiator_cred_handle, + ccache, context_handle, target_name, time_req, @@ -543,7 +526,7 @@ gsskrb5_initiator_start static OM_uint32 gsskrb5_initiator_wait_for_mutual( OM_uint32 * minor_status, - const gss_cred_id_t initiator_cred_handle, + krb5_ccache ccache, gss_ctx_id_t * context_handle, const gss_name_t target_name, const gss_OID mech_type, @@ -697,6 +680,8 @@ gsskrb5_init_sec_context ) { OM_uint32 ret; + krb5_error_code kret; + krb5_ccache ccache = NULL; if (*context_handle == GSS_C_NO_CONTEXT) { ret = _gsskrb5_create_ctx(minor_status, @@ -708,12 +693,23 @@ gsskrb5_init_sec_context if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM; + if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { + kret = krb5_cc_default (gssapi_krb5_context, &ccache); + if (kret) { + gssapi_krb5_set_error_string (); + *minor_status = kret; + return GSS_S_FAILURE; + } + } else { + ccache = initiator_cred_handle->ccache; + } + HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex); switch ((*context_handle)->state) { case INITIATOR_START: ret = gsskrb5_initiator_start(minor_status, - initiator_cred_handle, + ccache, context_handle, target_name, mech_type, @@ -727,7 +723,7 @@ gsskrb5_init_sec_context break; case INITIATOR_WAIT_FOR_MUTAL: ret = gsskrb5_initiator_wait_for_mutual(minor_status, - initiator_cred_handle, + ccache, context_handle, target_name, mech_type, @@ -771,6 +767,10 @@ gsskrb5_init_sec_context break; } + if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) { + krb5_cc_close(gssapi_krb5_context, ccache); + } + HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex); return ret; diff --git a/source4/heimdal/lib/gssapi/release_cred.c b/source4/heimdal/lib/gssapi/release_cred.c index 8ae65dd528..ddd80c144b 100644 --- a/source4/heimdal/lib/gssapi/release_cred.c +++ b/source4/heimdal/lib/gssapi/release_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -54,10 +54,10 @@ OM_uint32 gss_release_cred krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal); if ((*cred_handle)->made_keytab) krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab); - if ((*cred_handle)->made_ccache) { + if ((*cred_handle)->ccache != NULL) { const krb5_cc_ops *ops; ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache); - if (ops == &krb5_mcc_ops) + if ((*cred_handle)->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE) krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache); else krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache); |