|
 |
8c1676 |
From ff5eb892910eeac335d989ae14020da4ffbcc8ec Mon Sep 17 00:00:00 2001
|
|
|
8c1676 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
8c1676 |
Date: Mon, 29 Feb 2016 16:51:22 -0500
|
|
|
8c1676 |
Subject: [PATCH] Skip unnecessary mech calls in gss_inquire_cred()
|
|
|
8c1676 |
|
|
|
8c1676 |
If the caller does not request a name, lifetime, or cred_usage when
|
|
|
8c1676 |
calling gss_inquire_cred(), service the call by copying the mechanism
|
|
|
8c1676 |
list (if requested) but do not call into the mech.
|
|
|
8c1676 |
|
|
|
8c1676 |
This change alleviates an issue (reported by Adam Bernstein) where
|
|
|
8c1676 |
SPNEGO can fail in the presence of expired krb5 credentials rather
|
|
|
8c1676 |
than proceeding with a different mechanism, or can resolve a krb5
|
|
|
8c1676 |
credential without the benefit of the target name.
|
|
|
8c1676 |
|
|
|
8c1676 |
ticket: 8373
|
|
|
8c1676 |
target_version: 1.14-next
|
|
|
8c1676 |
target_version: 1.13-next
|
|
|
8c1676 |
tags: pullup
|
|
|
8c1676 |
---
|
|
|
8c1676 |
src/lib/gssapi/mechglue/g_inq_cred.c | 39 ++++++++++++++++++++----------------
|
|
|
8c1676 |
1 file changed, 22 insertions(+), 17 deletions(-)
|
|
|
8c1676 |
|
|
|
8c1676 |
diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c
|
|
|
8c1676 |
index c5577d4..9111962 100644
|
|
|
8c1676 |
--- a/src/lib/gssapi/mechglue/g_inq_cred.c
|
|
|
8c1676 |
+++ b/src/lib/gssapi/mechglue/g_inq_cred.c
|
|
|
8c1676 |
@@ -92,27 +92,32 @@ gss_OID_set * mechanisms;
|
|
|
8c1676 |
mech_cred = GSS_C_NO_CREDENTIAL;
|
|
|
8c1676 |
mech = gssint_get_mechanism(GSS_C_NULL_OID);
|
|
|
8c1676 |
}
|
|
|
8c1676 |
- if (mech == NULL)
|
|
|
8c1676 |
- return (GSS_S_DEFECTIVE_CREDENTIAL);
|
|
|
8c1676 |
- if (!mech->gss_inquire_cred)
|
|
|
8c1676 |
- return (GSS_S_UNAVAILABLE);
|
|
|
8c1676 |
|
|
|
8c1676 |
- status = mech->gss_inquire_cred(minor_status, mech_cred,
|
|
|
8c1676 |
- name ? &mech_name : NULL,
|
|
|
8c1676 |
- lifetime, cred_usage, NULL);
|
|
|
8c1676 |
- if (status != GSS_S_COMPLETE) {
|
|
|
8c1676 |
- map_error(minor_status, mech);
|
|
|
8c1676 |
- return(status);
|
|
|
8c1676 |
- }
|
|
|
8c1676 |
+ /* Skip the call into the mech if the caller doesn't care about any of the
|
|
|
8c1676 |
+ * values we would ask for. */
|
|
|
8c1676 |
+ if (name != NULL || lifetime != NULL || cred_usage != NULL) {
|
|
|
8c1676 |
+ if (mech == NULL)
|
|
|
8c1676 |
+ return (GSS_S_DEFECTIVE_CREDENTIAL);
|
|
|
8c1676 |
+ if (!mech->gss_inquire_cred)
|
|
|
8c1676 |
+ return (GSS_S_UNAVAILABLE);
|
|
|
8c1676 |
|
|
|
8c1676 |
- if (name) {
|
|
|
8c1676 |
- /* Convert mech_name into a union_name equivalent. */
|
|
|
8c1676 |
- status = gssint_convert_name_to_union_name(&temp_minor_status,
|
|
|
8c1676 |
- mech, mech_name, name);
|
|
|
8c1676 |
+ status = mech->gss_inquire_cred(minor_status, mech_cred,
|
|
|
8c1676 |
+ name ? &mech_name : NULL,
|
|
|
8c1676 |
+ lifetime, cred_usage, NULL);
|
|
|
8c1676 |
if (status != GSS_S_COMPLETE) {
|
|
|
8c1676 |
- *minor_status = temp_minor_status;
|
|
|
8c1676 |
map_error(minor_status, mech);
|
|
|
8c1676 |
- return (status);
|
|
|
8c1676 |
+ return(status);
|
|
|
8c1676 |
+ }
|
|
|
8c1676 |
+
|
|
|
8c1676 |
+ if (name) {
|
|
|
8c1676 |
+ /* Convert mech_name into a union_name equivalent. */
|
|
|
8c1676 |
+ status = gssint_convert_name_to_union_name(&temp_minor_status,
|
|
|
8c1676 |
+ mech, mech_name, name);
|
|
|
8c1676 |
+ if (status != GSS_S_COMPLETE) {
|
|
|
8c1676 |
+ *minor_status = temp_minor_status;
|
|
|
8c1676 |
+ map_error(minor_status, mech);
|
|
|
8c1676 |
+ return (status);
|
|
|
8c1676 |
+ }
|
|
|
8c1676 |
}
|
|
|
8c1676 |
}
|
|
|
8c1676 |
|
|
|
8c1676 |
--
|
|
|
8c1676 |
2.8.0.rc3
|
|
|
8c1676 |
|