[2662] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

krb5-libs/370: krb5-ligs

daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Wed Feb 12 12:16:15 1997

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, jik@cam.ov.com
Date: Wed, 12 Feb 1997 12:14:42 -0500
From: "Jonathan I. Kamens" <jik@kamens.brookline.ma.us>
Reply-To: jik@cam.ov.com
To: krb5-bugs@MIT.EDU
Cc: jik@cam.ov.com


>Number:         370
>Category:       krb5-libs
>Synopsis:       krb5-ligs
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Wed Feb 12 12:12:01 EST 1997
>Last-Modified:
>Originator:     Jonathan I. Kamens
>Organization:
OpenVision Technologies, Inc.
>Release:        1.0
>Environment:
N/A
>Description:
	When the GSS-API library acquires accept tokens, it should
open the replay cache for the service for which it can accept
connections, and use that open replay cache when accepting contexts
rather than making krb5_rd_req() open, read and close the replay
cache over and over again each time a new connection comes in.

	When I applied the fix below to do what I've just described,
the time it took to establish a context with mutual authentication
dropped from 191ms to 61ms.  While times measured in milleseconds may
not seem all that significant at first glance, we've got to start
considering times like that significant if we want people to employ
GSS-API applications in high-volume production environments.

	The patch below also removes some $Id$ lines, which aren't
necessary since neither MIT nor OV is using them any longer.
>How-To-Repeat:
	
>Fix:
--- krb5-1.0/src/lib/gssapi/krb5/accept_sec_context.c	Wed Nov 20 22:13:03 1996
+++ krb5-1.0/src/lib/gssapi/krb5/accept_sec_context.c	Wed Feb 12 12:02:30 1997
@@ -23,10 +23,6 @@
 #include "gssapiP_krb5.h"
 #include <memory.h>
 
-/*
- * $Id: accept_sec_context.c,v 1.34.2.3 1996/11/21 03:13:03 marc Exp $
- */
-
 #if 0
 
 /* XXXX This widen/narrow stuff is bletcherous, but it seems to be
@@ -237,9 +233,19 @@
 
    /* decode the message */
 
+   if ((code = krb5_auth_con_init(context, &auth_context))) {
+     *minor_status = code;
+     return(GSS_S_FAILURE);
+   }
+   if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
+     *minor_status = code;
+     return(GSS_S_FAILURE);
+   }
    if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
 			  cred->keytab, NULL, &ticket))) {
       *minor_status = code;
+      (void) krb5_auth_con_setrcache(context, auth_context, NULL);
+      (void) krb5_auth_con_free(context, auth_context);
       return(GSS_S_FAILURE);
    }
 
--- krb5-1.0/src/lib/gssapi/krb5/acquire_cred.c	Thu Oct 10 13:51:42 1996
+++ krb5-1.0/src/lib/gssapi/krb5/acquire_cred.c	Wed Feb 12 12:02:52 1997
@@ -27,10 +27,6 @@
 #include <strings.h>
 #endif
 
-/*
- * $Id: acquire_cred.c,v 1.18 1996/10/10 17:51:42 tytso Exp $
- */
-
 /* get credentials corresponding to a key in the krb5 keytab.
    If the default name is requested, return the name in output_princ.
      If output_princ is non-NULL, the caller will use or free it, regardless
@@ -118,6 +114,15 @@
    /* hooray.  we made it */
 
    cred->keytab = kt;
+
+   /* Open the replay cache for this principal. */
+   if ((code = krb5_get_server_rcache(context,
+				      krb5_princ_component(context, princ, 0),
+				      &cred->rcache))) {
+     *minor_status = code;
+     return(GSS_S_FAILURE);
+   }
+
    return(GSS_S_COMPLETE);
 }
 
--- krb5-1.0/src/lib/gssapi/krb5/delete_sec_context.c	Sat Oct 19 01:05:19 1996
+++ krb5-1.0/src/lib/gssapi/krb5/delete_sec_context.c	Wed Feb 12 12:03:09 1997
@@ -22,10 +22,6 @@
 
 #include "gssapiP_krb5.h"
 
-/*
- * $Id: delete_sec_context.c,v 1.12 1996/10/19 05:05:19 tytso Exp $
- */
-
 OM_uint32
 krb5_gss_delete_sec_context(minor_status, context_handle, output_token)
      OM_uint32 *minor_status;
@@ -92,8 +88,10 @@
    krb5_free_principal(context, ctx->there);
    krb5_free_keyblock(context, ctx->subkey);
 
-   if (ctx->auth_context)
+   if (ctx->auth_context) {
+       (void) krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
        krb5_auth_con_free(context, ctx->auth_context);
+   }
 
    if (ctx->mech_used)
        gss_release_oid(minor_status, &ctx->mech_used);
--- krb5-1.0/src/lib/gssapi/krb5/gssapiP_krb5.h	Wed Nov 20 21:19:35 1996
+++ krb5-1.0/src/lib/gssapi/krb5/gssapiP_krb5.h	Wed Feb 12 12:03:33 1997
@@ -23,10 +23,6 @@
 #ifndef _GSSAPIP_KRB5_H_
 #define _GSSAPIP_KRB5_H_
 
-/*
- * $Id: gssapiP_krb5.h,v 1.31.2.1 1996/11/21 02:19:35 marc Exp $
- */
-
 #if (defined(_MSDOS) || defined(_WIN32) || defined(_MACINTOSH))
 #include <k5-int.h>
 #else
@@ -91,6 +87,7 @@
    /* ccache (init) data */
    krb5_ccache ccache;
    krb5_timestamp tgt_expire;
+   krb5_rcache rcache;
 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t; 
 
 typedef struct _krb5_gss_enc_desc {
--- krb5-1.0/src/lib/gssapi/krb5/rel_cred.c	Mon Jul 22 16:34:24 1996
+++ krb5-1.0/src/lib/gssapi/krb5/rel_cred.c	Wed Feb 12 08:10:24 1997
@@ -29,7 +29,7 @@
 {
    krb5_context context;
    krb5_gss_cred_id_t cred;
-   krb5_error_code code1, code2;
+   krb5_error_code code1, code2, code3;
 
    if (GSS_ERROR(kg_get_context(minor_status, &context)))
       return(GSS_S_FAILURE);
@@ -54,6 +54,11 @@
    else
       code2 = 0;
 
+   if (cred->rcache)
+     code3 = krb5_rc_close(context, cred->rcache);
+   else
+     code3 = 0;
+
    if (cred->princ)
       krb5_free_principal(context, cred->princ);
    xfree(cred);
@@ -65,6 +70,8 @@
       *minor_status = code1;
    if (code2)
       *minor_status = code2;
+   if (code3)
+     *minor_status = code3;
 
    return(*minor_status?GSS_S_FAILURE:GSS_S_COMPLETE);
 }
>Audit-Trail:
>Unformatted:

home help back first fref pref prev next nref lref last post