summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/gssapi
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-11-02 00:31:22 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:38 -0500
commit3b2a6997b43dcfe37adf67c84e564a4fbff5b108 (patch)
treeb346357dacf58cc803e5fa5919199a1791eb20ea /source4/heimdal/lib/gssapi
parentf8ebd5a53ce115b9d9dc6e87e0dbe4cdd6f9b79d (diff)
downloadsamba-3b2a6997b43dcfe37adf67c84e564a4fbff5b108.tar.gz
samba-3b2a6997b43dcfe37adf67c84e564a4fbff5b108.tar.bz2
samba-3b2a6997b43dcfe37adf67c84e564a4fbff5b108.zip
r11452: Update Heimdal to current lorikeet, including removing the ccache side
of the gsskrb5_acquire_cred hack. Add support for delegated credentials into the auth and credentials subsystem, and specifically into gensec_gssapi. Add the CIFS NTVFS handler as a consumer of delegated credentials, when no user/domain/password is specified. Andrew Bartlett (This used to be commit 55b89899adb692d90e63873ccdf80b9f94a6b448)
Diffstat (limited to 'source4/heimdal/lib/gssapi')
-rw-r--r--source4/heimdal/lib/gssapi/accept_sec_context.c38
-rw-r--r--source4/heimdal/lib/gssapi/acquire_cred.c132
-rw-r--r--source4/heimdal/lib/gssapi/copy_ccache.c90
-rw-r--r--source4/heimdal/lib/gssapi/delete_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/gssapi.h8
-rw-r--r--source4/heimdal/lib/gssapi/gssapi_locl.h12
-rw-r--r--source4/heimdal/lib/gssapi/init_sec_context.c46
-rw-r--r--source4/heimdal/lib/gssapi/release_cred.c6
8 files changed, 227 insertions, 107 deletions
diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c
index 8e354c3136..5d43cdcb43 100644
--- a/source4/heimdal/lib/gssapi/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/accept_sec_context.c
@@ -239,7 +239,7 @@ gsskrb5_acceptor_ready(
OM_uint32 ret;
int32_t seq_number;
int is_cfx = 0;
- u_int32_t flags = (*context_handle)->flags;
+ u_int32_t *flags = &(*context_handle)->flags;
krb5_auth_getremoteseqnumber (gssapi_krb5_context,
(*context_handle)->auth_context,
@@ -249,11 +249,11 @@ gsskrb5_acceptor_ready(
ret = _gssapi_msg_order_create(minor_status,
&(*context_handle)->order,
- _gssapi_msg_order_f(flags),
+ _gssapi_msg_order_f(*flags),
seq_number, 0, is_cfx);
if (ret) return ret;
- if (!(flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(flags)) {
+ if (!(*flags & GSS_C_MUTUAL_FLAG) && _gssapi_msg_order_f(*flags)) {
krb5_auth_con_setlocalseqnumber(gssapi_krb5_context,
(*context_handle)->auth_context,
seq_number);
@@ -262,11 +262,14 @@ gsskrb5_acceptor_ready(
/*
* We should handle the delegation ticket, in case it's there
*/
- if ((*context_handle)->fwd_data.length > 0 && (flags & GSS_C_DELEG_FLAG)) {
+ if ((*context_handle)->fwd_data.length > 0 && (*flags & GSS_C_DELEG_FLAG)) {
ret = gsskrb5_accept_delegated_token(minor_status,
context_handle,
delegated_cred_handle);
if (ret) return ret;
+ } else {
+ /* Well, looks like it wasn't there after all */
+ *flags &= ~GSS_C_DELEG_FLAG;
}
(*context_handle)->state = ACCEPTOR_READY;
@@ -297,10 +300,9 @@ gsskrb5_acceptor_start
krb5_ticket *ticket = NULL;
krb5_keytab keytab = NULL;
krb5_keyblock *keyblock = NULL;
- krb5_data fwd_data;
int is_cfx = 0;
- krb5_data_zero (&fwd_data);
+ krb5_data_zero (&(*context_handle)->fwd_data);
/*
* We may, or may not, have an escapsulation.
@@ -415,7 +417,7 @@ gsskrb5_acceptor_start
input_chan_bindings,
authenticator->cksum,
&flags,
- &fwd_data);
+ &(*context_handle)->fwd_data);
krb5_free_authenticator(gssapi_krb5_context, &authenticator);
if (ret) {
return ret;
@@ -461,15 +463,9 @@ gsskrb5_acceptor_start
}
}
- /*
- * We need to send the flags back to the caller
- */
flags |= GSS_C_TRANS_FLAG;
- if (ret_flags)
- *ret_flags = flags;
-
- /* And remember them for later */
+ /* Remember the flags */
(*context_handle)->lifetime = ticket->ticket.endtime;
(*context_handle)->flags = flags;
@@ -491,11 +487,23 @@ gsskrb5_acceptor_start
* When GSS_C_DCE_STYLE is in use, we need ask for a AP-REP from the client
*/
if (flags & GSS_C_DCE_STYLE) {
+ if (ret_flags) {
+ /* Return flags to caller, but we haven't processed delgations yet */
+ *ret_flags = flags & ~GSS_C_DELEG_FLAG;
+ }
+
(*context_handle)->state = ACCEPTOR_WAIT_FOR_DCESTYLE;
return GSS_S_CONTINUE_NEEDED;
}
- return gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle);
+ ret = gsskrb5_acceptor_ready(minor_status, context_handle, delegated_cred_handle);
+
+ /*
+ * We need to send the flags back to the caller
+ */
+
+ *ret_flags = (*context_handle)->flags;
+ return ret;
}
static OM_uint32
diff --git a/source4/heimdal/lib/gssapi/acquire_cred.c b/source4/heimdal/lib/gssapi/acquire_cred.c
index 23c2603352..d67b400920 100644
--- a/source4/heimdal/lib/gssapi/acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/acquire_cred.c
@@ -33,7 +33,53 @@
#include "gssapi_locl.h"
-RCSID("$Id: acquire_cred.c,v 1.23 2005/10/21 12:44:08 lha Exp $");
+RCSID("$Id: acquire_cred.c,v 1.24 2005/10/26 11:25:16 lha Exp $");
+
+OM_uint32
+_gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
+ krb5_ccache id,
+ krb5_principal principal,
+ OM_uint32 *lifetime)
+{
+ krb5_creds in_cred, *out_cred;
+ krb5_const_realm realm;
+ krb5_error_code kret;
+
+ memset(&in_cred, 0, sizeof(in_cred));
+ in_cred.client = principal;
+
+ realm = krb5_principal_get_realm(gssapi_krb5_context, principal);
+ if (realm == NULL) {
+ gssapi_krb5_clear_status ();
+ *minor_status = KRB5_PRINC_NOMATCH; /* XXX */
+ return GSS_S_FAILURE;
+ }
+
+ kret = krb5_make_principal(gssapi_krb5_context, &in_cred.server,
+ realm, KRB5_TGS_NAME, realm, NULL);
+ if (kret) {
+ gssapi_krb5_set_error_string();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+
+ kret = krb5_get_credentials(gssapi_krb5_context, 0,
+ id, &in_cred, &out_cred);
+ krb5_free_principal(gssapi_krb5_context, in_cred.server);
+ if (kret) {
+ gssapi_krb5_set_error_string();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+
+ *lifetime = out_cred->times.endtime;
+ krb5_free_creds(gssapi_krb5_context, out_cred);
+
+ return GSS_S_COMPLETE;
+}
+
+
+
static krb5_error_code
get_keytab(krb5_context context, krb5_keytab *keytab)
@@ -61,7 +107,6 @@ static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
krb5_keytab keytab,
- krb5_ccache ccache,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -75,10 +120,11 @@ static OM_uint32 acquire_initiator_cred
krb5_creds cred;
krb5_principal def_princ;
krb5_get_init_creds_opt *opt;
+ krb5_ccache ccache;
krb5_error_code kret;
- krb5_boolean made_ccache = FALSE;
krb5_boolean made_keytab = FALSE;
+ ccache = NULL;
def_princ = NULL;
ret = GSS_S_FAILURE;
memset(&cred, 0, sizeof(cred));
@@ -86,29 +132,22 @@ static OM_uint32 acquire_initiator_cred
/* If we have a preferred principal, lets try to find it in all
* caches, otherwise, fall back to default cache. Ignore
* errors. */
- if (ccache == NULL && handle->principal) {
+ if (handle->principal)
kret = krb5_cc_cache_match (gssapi_krb5_context,
handle->principal,
NULL,
&ccache);
- if (kret) {
- ccache = NULL;
- } else {
- made_ccache = TRUE;
- }
- }
+
if (ccache == NULL) {
kret = krb5_cc_default(gssapi_krb5_context, &ccache);
if (kret)
goto end;
- made_ccache = TRUE;
}
kret = krb5_cc_get_principal(context, ccache,
&def_princ);
if (kret != 0) {
/* we'll try to use a keytab below */
krb5_cc_destroy(context, ccache);
- made_ccache = FALSE;
ccache = NULL;
kret = 0;
} else if (handle->principal == NULL) {
@@ -133,65 +172,41 @@ static OM_uint32 acquire_initiator_cred
if (kret)
goto end;
}
- if (keytab != NULL) {
- kret = get_keytab(context, &keytab);
- if (kret)
- goto end;
- made_keytab = TRUE;
- }
- kret = krb5_get_init_creds_opt_alloc(context, &opt);
+ kret = get_keytab(context, &keytab);
+ if (kret)
+ goto end;
+ kret = krb5_get_init_creds_opt_alloc(gssapi_krb5_context, &opt);
if (kret)
goto end;
- kret = krb5_get_init_creds_keytab(context, &cred,
+ kret = krb5_get_init_creds_keytab(gssapi_krb5_context, &cred,
handle->principal, keytab, 0, NULL, opt);
krb5_get_init_creds_opt_free(opt);
if (kret)
goto end;
- if (ccache == NULL) {
- kret = krb5_cc_gen_new(context, &krb5_mcc_ops,
- &ccache);
- if (kret)
- goto end;
- made_ccache = TRUE;
- }
- kret = krb5_cc_initialize(context, ccache, cred.client);
+ kret = krb5_cc_gen_new(gssapi_krb5_context, &krb5_mcc_ops,
+ &ccache);
if (kret)
goto end;
- kret = krb5_cc_store_cred(context, ccache, &cred);
+ kret = krb5_cc_initialize(gssapi_krb5_context, ccache, cred.client);
if (kret)
goto end;
- handle->lifetime = cred.times.endtime;
- } else {
- krb5_creds in_cred, *out_cred;
- krb5_const_realm realm;
-
- memset(&in_cred, 0, sizeof(in_cred));
- in_cred.client = handle->principal;
-
- realm = krb5_principal_get_realm(context,
- handle->principal);
- if (realm == NULL) {
- kret = KRB5_PRINC_NOMATCH; /* XXX */
- goto end;
- }
-
- kret = krb5_make_principal(context, &in_cred.server,
- realm, KRB5_TGS_NAME, realm, NULL);
+ kret = krb5_cc_store_cred(gssapi_krb5_context, ccache, &cred);
if (kret)
goto end;
+ handle->lifetime = cred.times.endtime;
+ handle->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
+ } else {
- kret = krb5_get_credentials(context, 0,
- ccache, &in_cred, &out_cred);
- krb5_free_principal(context, in_cred.server);
- if (kret)
+ ret = _gssapi_krb5_ccache_lifetime(minor_status,
+ ccache,
+ handle->principal,
+ &handle->lifetime);
+ if (ret != GSS_S_COMPLETE)
goto end;
-
- handle->lifetime = out_cred->times.endtime;
- krb5_free_creds(context, out_cred);
+ kret = 0;
}
handle->ccache = ccache;
- handle->made_ccache = made_ccache;
ret = GSS_S_COMPLETE;
end:
@@ -202,8 +217,8 @@ end:
if (made_keytab)
krb5_kt_close(context, keytab);
if (ret != GSS_S_COMPLETE) {
- if (made_ccache)
- krb5_cc_close(context, ccache);
+ if (ccache != NULL)
+ krb5_cc_close(gssapi_krb5_context, ccache);
if (kret != 0) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
@@ -255,7 +270,6 @@ end:
OM_uint32 gsskrb5_acquire_cred
(OM_uint32 * minor_status,
struct krb5_keytab_data *keytab,
- struct krb5_ccache_data *ccache,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -314,7 +328,7 @@ OM_uint32 gsskrb5_acquire_cred
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, gssapi_krb5_context,
- keytab, ccache,
+ keytab,
desired_name, time_req,
desired_mechs, cred_usage,
handle, actual_mechs, time_rec);
@@ -379,7 +393,7 @@ OM_uint32 gss_acquire_cred
)
{
return gsskrb5_acquire_cred(minor_status,
- NULL, NULL,
+ NULL,
desired_name,
time_req,
desired_mechs,
diff --git a/source4/heimdal/lib/gssapi/copy_ccache.c b/source4/heimdal/lib/gssapi/copy_ccache.c
index 828ca64156..0f2f155870 100644
--- a/source4/heimdal/lib/gssapi/copy_ccache.c
+++ b/source4/heimdal/lib/gssapi/copy_ccache.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: copy_ccache.c,v 1.7 2003/09/01 15:11:09 lha Exp $");
+RCSID("$Id: copy_ccache.c,v 1.9 2005/10/31 16:02:08 lha Exp $");
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
@@ -61,6 +61,94 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
+
+OM_uint32
+gss_krb5_import_ccache(OM_uint32 *minor_status,
+ krb5_ccache in,
+ gss_cred_id_t *cred)
+{
+ krb5_error_code kret;
+ gss_cred_id_t handle;
+ OM_uint32 ret;
+
+ *cred = NULL;
+
+ GSSAPI_KRB5_INIT ();
+
+ handle = (gss_cred_id_t)calloc(1, sizeof(*handle));
+ if (handle == GSS_C_NO_CREDENTIAL) {
+ gssapi_krb5_clear_status ();
+ *minor_status = ENOMEM;
+ return (GSS_S_FAILURE);
+ }
+ HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
+
+ handle->usage = GSS_C_INITIATE;
+
+ kret = krb5_cc_get_principal(gssapi_krb5_context, in, &handle->principal);
+ if (kret) {
+ free(handle);
+ gssapi_krb5_set_error_string ();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+
+ ret = _gssapi_krb5_ccache_lifetime(minor_status,
+ in,
+ handle->principal,
+ &handle->lifetime);
+ if (ret != GSS_S_COMPLETE) {
+ krb5_free_principal(gssapi_krb5_context, handle->principal);
+ free(handle);
+ return ret;
+ }
+
+ ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
+ if (ret == GSS_S_COMPLETE)
+ ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+ &handle->mechanisms);
+ if (ret != GSS_S_COMPLETE) {
+ krb5_free_principal(gssapi_krb5_context, handle->principal);
+ free(handle);
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+
+ {
+ const char *type, *name;
+ char *str;
+
+ type = krb5_cc_get_type(gssapi_krb5_context, in);
+ name = krb5_cc_get_name(gssapi_krb5_context, in);
+
+ if (asprintf(&str, "%s:%s", type, name) == -1) {
+ krb5_set_error_string(gssapi_krb5_context,
+ "malloc - out of memory");
+ kret = ENOMEM;
+ goto out;
+ }
+
+ kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache);
+ free(str);
+ if (kret)
+ goto out;
+ }
+
+ *minor_status = 0;
+ *cred = handle;
+ return GSS_S_COMPLETE;
+
+out:
+ gssapi_krb5_set_error_string ();
+ if (handle->principal)
+ krb5_free_principal(gssapi_krb5_context, handle->principal);
+ HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
+ free(handle);
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+}
+
+
OM_uint32
gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
diff --git a/source4/heimdal/lib/gssapi/delete_sec_context.c b/source4/heimdal/lib/gssapi/delete_sec_context.c
index 83658fa76c..301197aa4c 100644
--- a/source4/heimdal/lib/gssapi/delete_sec_context.c
+++ b/source4/heimdal/lib/gssapi/delete_sec_context.c
@@ -66,6 +66,8 @@ OM_uint32 gss_delete_sec_context
(*context_handle)->service_keyblock);
if((*context_handle)->order)
_gssapi_msg_order_destroy(&(*context_handle)->order);
+ if ((*context_handle)->fwd_data.length > 0)
+ free((*context_handle)->fwd_data.data);
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
HEIMDAL_MUTEX_destroy(&(*context_handle)->ctx_id_mutex);
diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h
index 4bf6780daa..64a31d1eee 100644
--- a/source4/heimdal/lib/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gssapi.h,v 1.37 2005/02/21 08:48:15 lukeh Exp $ */
+/* $Id: gssapi.h,v 1.38 2005/10/26 11:22:13 lha Exp $ */
#ifndef GSSAPI_H_
#define GSSAPI_H_
@@ -778,7 +778,6 @@ OM_uint32 gss_unseal
OM_uint32 gsskrb5_acquire_cred
(OM_uint32 * minor_status,
struct krb5_keytab_data *keytab,
- struct krb5_ccache_data *ccache,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -806,6 +805,11 @@ OM_uint32 gss_krb5_copy_service_keyblock
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
+OM_uint32
+gss_krb5_import_ccache(OM_uint32 */*minor*/,
+ struct krb5_ccache_data * /*in*/,
+ gss_cred_id_t */*out*/);
+
OM_uint32 gss_krb5_get_tkt_flags
(OM_uint32 */*minor*/,
gss_ctx_id_t /*context_handle*/,
diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h
index 1d22099877..aa663e87a6 100644
--- a/source4/heimdal/lib/gssapi/gssapi_locl.h
+++ b/source4/heimdal/lib/gssapi/gssapi_locl.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gssapi_locl.h,v 1.41 2005/10/12 15:20:37 lha Exp $ */
+/* $Id: gssapi_locl.h,v 1.42 2005/10/26 11:23:48 lha Exp $ */
#ifndef GSSAPI_LOCL_H
#define GSSAPI_LOCL_H
@@ -79,12 +79,13 @@ typedef struct gss_ctx_id_t_desc_struct {
typedef struct gss_cred_id_t_desc_struct {
gss_name_t principal;
+ int cred_flags;
+#define GSS_CF_DESTROY_CRED_ON_RELEASE 1
krb5_boolean made_keytab;
struct krb5_keytab_data *keytab;
OM_uint32 lifetime;
gss_cred_usage_t usage;
gss_OID_set mechanisms;
- krb5_boolean made_ccache;
struct krb5_ccache_data *ccache;
HEIMDAL_MUTEX cred_id_mutex;
} gss_cred_id_t_desc;
@@ -108,7 +109,6 @@ struct gssapi_thr_context {
*/
krb5_error_code gssapi_krb5_init (void);
-krb5_error_code gssapi_krb5_init_ev (void *event_context);
#define GSSAPI_KRB5_INIT() do { \
krb5_error_code kret_gss_init; \
@@ -271,6 +271,10 @@ _gss_check_compat(OM_uint32 *, gss_name_t, const char *,
OM_uint32
gssapi_lifetime_left(OM_uint32 *, OM_uint32, OM_uint32 *);
+OM_uint32
+_gssapi_krb5_ccache_lifetime(OM_uint32 *, krb5_ccache,
+ krb5_principal, OM_uint32 *);
+
/* sequence */
OM_uint32
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c
index 93e8d44c86..b8eb748bf5 100644
--- a/source4/heimdal/lib/gssapi/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/init_sec_context.c
@@ -162,7 +162,7 @@ _gsskrb5_create_ctx(
static OM_uint32
gsskrb5_get_creds(
OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ krb5_ccache ccache,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
OM_uint32 time_req,
@@ -172,22 +172,10 @@ gsskrb5_get_creds(
OM_uint32 ret;
krb5_error_code kret;
krb5_creds this_cred;
- krb5_ccache ccache = NULL;
OM_uint32 lifetime_rec;
*cred = NULL;
- if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
- kret = krb5_cc_default (gssapi_krb5_context, &ccache);
- if (kret) {
- gssapi_krb5_set_error_string ();
- *minor_status = kret;
- return GSS_S_FAILURE;
- }
- } else {
- ccache = initiator_cred_handle->ccache;
- }
-
kret = krb5_cc_get_principal(gssapi_krb5_context,
ccache,
&(*context_handle)->source);
@@ -246,10 +234,6 @@ gsskrb5_get_creds(
if (time_rec) *time_rec = lifetime_rec;
- if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
- krb5_cc_close(gssapi_krb5_context, ccache);
- }
-
return GSS_S_COMPLETE;
}
@@ -351,7 +335,7 @@ do_delegation (krb5_auth_context ac,
static OM_uint32
gsskrb5_initiator_start
(OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ krb5_ccache ccache,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
@@ -369,7 +353,6 @@ gsskrb5_initiator_start
krb5_flags ap_options;
krb5_creds *cred = NULL;
krb5_data outbuf;
- krb5_ccache ccache = NULL;
u_int32_t flags;
krb5_data authenticator;
Checksum cksum;
@@ -383,7 +366,7 @@ gsskrb5_initiator_start
/* We need to get the credentials for the requested target */
ret = gsskrb5_get_creds(minor_status,
- initiator_cred_handle,
+ ccache,
context_handle,
target_name,
time_req,
@@ -543,7 +526,7 @@ gsskrb5_initiator_start
static OM_uint32
gsskrb5_initiator_wait_for_mutual(
OM_uint32 * minor_status,
- const gss_cred_id_t initiator_cred_handle,
+ krb5_ccache ccache,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
@@ -697,6 +680,8 @@ gsskrb5_init_sec_context
)
{
OM_uint32 ret;
+ krb5_error_code kret;
+ krb5_ccache ccache = NULL;
if (*context_handle == GSS_C_NO_CONTEXT) {
ret = _gsskrb5_create_ctx(minor_status,
@@ -708,12 +693,23 @@ gsskrb5_init_sec_context
if (actual_mech_type) *actual_mech_type = GSS_KRB5_MECHANISM;
+ if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
+ kret = krb5_cc_default (gssapi_krb5_context, &ccache);
+ if (kret) {
+ gssapi_krb5_set_error_string ();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+ } else {
+ ccache = initiator_cred_handle->ccache;
+ }
+
HEIMDAL_MUTEX_lock(&(*context_handle)->ctx_id_mutex);
switch ((*context_handle)->state) {
case INITIATOR_START:
ret = gsskrb5_initiator_start(minor_status,
- initiator_cred_handle,
+ ccache,
context_handle,
target_name,
mech_type,
@@ -727,7 +723,7 @@ gsskrb5_init_sec_context
break;
case INITIATOR_WAIT_FOR_MUTAL:
ret = gsskrb5_initiator_wait_for_mutual(minor_status,
- initiator_cred_handle,
+ ccache,
context_handle,
target_name,
mech_type,
@@ -771,6 +767,10 @@ gsskrb5_init_sec_context
break;
}
+ if (initiator_cred_handle == GSS_C_NO_CREDENTIAL) {
+ krb5_cc_close(gssapi_krb5_context, ccache);
+ }
+
HEIMDAL_MUTEX_unlock(&(*context_handle)->ctx_id_mutex);
return ret;
diff --git a/source4/heimdal/lib/gssapi/release_cred.c b/source4/heimdal/lib/gssapi/release_cred.c
index 8ae65dd528..ddd80c144b 100644
--- a/source4/heimdal/lib/gssapi/release_cred.c
+++ b/source4/heimdal/lib/gssapi/release_cred.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -54,10 +54,10 @@ OM_uint32 gss_release_cred
krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
if ((*cred_handle)->made_keytab)
krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
- if ((*cred_handle)->made_ccache) {
+ if ((*cred_handle)->ccache != NULL) {
const krb5_cc_ops *ops;
ops = krb5_cc_get_ops(gssapi_krb5_context, (*cred_handle)->ccache);
- if (ops == &krb5_mcc_ops)
+ if ((*cred_handle)->cred_flags & GSS_CF_DESTROY_CRED_ON_RELEASE)
krb5_cc_destroy(gssapi_krb5_context, (*cred_handle)->ccache);
else
krb5_cc_close(gssapi_krb5_context, (*cred_handle)->ccache);