Should gss_inquire_cred_by_mech() set the initiator and acceptor lifetimes
when called with the credential GSS_C_NO_CREDENTIAL?

My reading of the description of this function in RFC2744 suggests that it
should set these to the lifetimes of the default initiator principal.

I find with the MIT implementation (krb5-1.5.2) the lifetimes are not
returned in this case.

src/lib/gssapi/krb5/inq_cred.c contains the following in
krb5_gss_inquire_cred_by_mech():
.....
cred = (krb5_gss_cred_id_t) cred_handle;
mstat = krb5_gss_inquire_cred(minor_status,
cred_handle,
name,
&lifetime,
cred_usage,
(gss_OID_set *) NULL);
if (mstat == GSS_S_COMPLETE) {
if (cred &&
((cred->usage == GSS_C_INITIATE) ||
(cred->usage == GSS_C_BOTH)) &&
initiator_lifetime)
*initiator_lifetime = lifetime;
if (cred &&
((cred->usage == GSS_C_ACCEPT) ||
(cred->usage == GSS_C_BOTH)) &&
acceptor_lifetime)
*acceptor_lifetime = lifetime;
}

This means that if the cred_handle passed in is GSS_C_NO_CREDENTIAL (=NULL),
the lifetimes will not be passed to the caller.

The behaviour I expect occurs if the conditions become:

if (mstat == GSS_S_COMPLETE) {
if (((*cred_usage == GSS_C_INITIATE) ||
(*cred_usage == GSS_C_BOTH)) &&
initiator_lifetime)
*initiator_lifetime = lifetime;
if (((*cred_usage == GSS_C_ACCEPT) ||
(*cred_usage == GSS_C_BOTH)) &&
acceptor_lifetime)
*acceptor_lifetime = lifetime;

Is this correct? If so, should I post it to the krb5-bugs list?

BTW, the krb5-1.6 source has not changed in this area.

Thanks

__________________________________________________ _______________
Solve the Conspiracy and win fantastic prizes.
http://www.theconspiracygame.co.uk/

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos