From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 27 Apr 2010 09:14:58 +0000 (+0000)
Subject: Make IAKERB work properly when used in conjunction with default creds
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c48b07520086dca990c910b0a5083bb3c0426a8c;p=thirdparty%2Fkrb5.git

Make IAKERB work properly when used in conjunction with default creds
or creds acquired with gss_acquire_cred (as opposed to
gss_acquire_cred_with_password).  Previously it would fall back to the
krb5 mech too early and perform a blocking TGS request.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/iakerb@23947 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 5418f1b814..c3e84818dd 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -529,12 +529,6 @@ acquire_cred(minor_status, desired_name, password, time_req,
         goto krb_error_out;
     }
 
-    if (req_iakerb &&
-        (password == GSS_C_NO_BUFFER || cred_usage == GSS_C_BOTH)) {
-        code = G_BAD_USAGE;
-        goto krb_error_out;
-    }
-
     /* verify that the requested mechanism set is the default, or
        contains krb5 */
 
@@ -770,6 +764,25 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
                         time_rec, 0);
 }
 
+OM_uint32
+iakerb_gss_acquire_cred(minor_status, desired_name, time_req,
+                        desired_mechs, cred_usage, output_cred_handle,
+                        actual_mechs, time_rec)
+    OM_uint32 *minor_status;
+    gss_name_t desired_name;
+    OM_uint32 time_req;
+    gss_OID_set desired_mechs;
+    gss_cred_usage_t cred_usage;
+    gss_cred_id_t *output_cred_handle;
+    gss_OID_set *actual_mechs;
+    OM_uint32 *time_rec;
+{
+    return acquire_cred(minor_status, desired_name, GSS_C_NO_BUFFER,
+                        time_req, desired_mechs,
+                        cred_usage, output_cred_handle, actual_mechs,
+                        time_rec, 1);
+}
+
 OM_uint32
 krb5_gss_acquire_cred_with_password(OM_uint32 *minor_status,
                                     const gss_name_t desired_name,
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 0073138367..4be30ba41c 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -523,6 +523,18 @@ OM_uint32 krb5_gss_acquire_cred
  OM_uint32*        /* time_rec */
 );
 
+OM_uint32
+iakerb_gss_acquire_cred
+(OM_uint32*,       /* minor_status */
+ gss_name_t,       /* desired_name */
+ OM_uint32,        /* time_req */
+ gss_OID_set,      /* desired_mechs */
+ gss_cred_usage_t, /* cred_usage */
+ gss_cred_id_t*,   /* output_cred_handle */
+ gss_OID_set*,     /* actual_mechs */
+ OM_uint32*        /* time_rec */
+);
+
 OM_uint32
 krb5_gss_acquire_cred_with_password(
     OM_uint32 *minor_status,
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index 626d2992f4..c902c3dcc9 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -718,6 +718,7 @@ static int gss_iakerbmechglue_init(void)
     iakerb_mechanism.gss_accept_sec_context = iakerb_gss_accept_sec_context;
     iakerb_mechanism.gss_init_sec_context   = iakerb_gss_init_sec_context;
     iakerb_mechanism.gss_delete_sec_context = iakerb_gss_delete_sec_context;
+    iakerb_mechanism.gss_acquire_cred       = iakerb_gss_acquire_cred;
 
     memset(&mech_iakerb, 0, sizeof(mech_iakerb));
     mech_iakerb.mech = &iakerb_mechanism;
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index eee7c73220..3ae4f3bb2a 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -680,11 +680,6 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx,
     krb5_creds in_creds, *out_creds = NULL;
     krb5_error_code code;
 
-    if (cred == NULL || cred->iakerb_mech == 0) {
-        *state = IAKERB_AP_REQ;
-        return 0;
-    }
-
     memset(&in_creds, 0, sizeof(in_creds));
 
     in_creds.client = cred->name->princ;
@@ -951,8 +946,10 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
                             OM_uint32 *time_rec)
 {
     OM_uint32 major_status = GSS_S_FAILURE;
+    OM_uint32 tmpmin;
     krb5_error_code code;
     iakerb_ctx_id_t ctx;
+    gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
     krb5_gss_cred_id_t kcred;
     krb5_gss_name_t kname;
     int credLocked = 0;
@@ -984,8 +981,16 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
 
         credLocked = 1;
         kcred = (krb5_gss_cred_id_t)claimant_cred_handle;
-    } else
-        kcred = NULL;
+    } else {
+        major_status = iakerb_gss_acquire_cred(minor_status, NULL,
+                                               GSS_C_INDEFINITE,
+                                               GSS_C_NULL_OID_SET,
+                                               GSS_C_INITIATE,
+                                               &defcred, NULL, NULL);
+        if (GSS_ERROR(major_status))
+            goto cleanup;
+        kcred = (krb5_gss_cred_id_t)defcred;
+    }
 
     major_status = GSS_S_FAILURE;
 
@@ -1034,7 +1039,7 @@ iakerb_gss_init_sec_context(OM_uint32 *minor_status,
 
         /* IAKERB is finished, or we skipped to Kerberos directly. */
         major_status = krb5_gss_init_sec_context_ext(minor_status,
-                                                     claimant_cred_handle,
+                                                     (gss_cred_id_t) kcred,
                                                      &ctx->u.gssc,
                                                      target_name,
                                                      GSS_C_NULL_OID,
@@ -1069,6 +1074,7 @@ cleanup:
         iakerb_release_context(ctx);
         *context_handle = GSS_C_NO_CONTEXT;
     }
+    krb5_gss_release_cred(&tmpmin, &defcred);
 
     return major_status;
 }