Skip Menu |
 

Download (untitled) / with headers
text/plain 7.3KiB
From jik@kamens.brookline.ma.us Wed Feb 12 12:11:25 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA10127 for <bugs@RT-11.MIT.EDU>; Wed, 12 Feb 1997 12:11:24 -0500
Received: from jik.saturn.net by MIT.EDU with SMTP
id AA21182; Wed, 12 Feb 97 12:11:19 EST
Received: (from jik@localhost)
by jik.saturn.net (8.8.4/8.8.4)
id MAA22364; Wed, 12 Feb 1997 12:14:42 -0500
Message-Id: <199702121714.MAA22364@jik.saturn.net>
Date: Wed, 12 Feb 1997 12:14:42 -0500
From: "Jonathan I. Kamens" <jik@kamens.brookline.ma.us>
Reply-To: jik@cam.ov.com
To: krb5-bugs@MIT.EDU
Cc: jik@cam.ov.com
Subject: gssapi speedups (rcache)
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 370
>Category: krb5-libs
>Synopsis: gssapi speedups (rcache)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Feb 12 12:12:01 EST 1997
>Last-Modified: Mon Aug 11 16:10:00 EDT 1997
>Originator: Jonathan I. Kamens
>Organization:
OpenVision Technologies, Inc.
Show quoted text
>Release: 1.0
>Environment:
N/A
Show quoted text
>Description:
When the GSS-API library acquires accept tokens, it should
open the replay cache for the service for which it can accept
connections, and use that open replay cache when accepting contexts
rather than making krb5_rd_req() open, read and close the replay
cache over and over again each time a new connection comes in.

When I applied the fix below to do what I've just described,
the time it took to establish a context with mutual authentication
dropped from 191ms to 61ms. While times measured in milleseconds may
not seem all that significant at first glance, we've got to start
considering times like that significant if we want people to employ
GSS-API applications in high-volume production environments.

The patch below also removes some $Id$ lines, which aren't
necessary since neither MIT nor OV is using them any longer.
Show quoted text
>How-To-Repeat:

Show quoted text
>Fix:
--- krb5-1.0/src/lib/gssapi/krb5/accept_sec_context.c Wed Nov 20 22:13:03 1996
+++ krb5-1.0/src/lib/gssapi/krb5/accept_sec_context.c Wed Feb 12 12:02:30 1997
@@ -23,10 +23,6 @@
#include "gssapiP_krb5.h"
#include <memory.h>

-/*
- * $Id: accept_sec_context.c,v 1.34.2.3 1996/11/21 03:13:03 marc Exp $
- */
-
#if 0

/* XXXX This widen/narrow stuff is bletcherous, but it seems to be
@@ -237,9 +233,19 @@

/* decode the message */

+ if ((code = krb5_auth_con_init(context, &auth_context))) {
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+ if ((code = krb5_auth_con_setrcache(context, auth_context, cred->rcache))) {
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
cred->keytab, NULL, &ticket))) {
*minor_status = code;
+ (void) krb5_auth_con_setrcache(context, auth_context, NULL);
+ (void) krb5_auth_con_free(context, auth_context);
return(GSS_S_FAILURE);
}

--- krb5-1.0/src/lib/gssapi/krb5/acquire_cred.c Thu Oct 10 13:51:42 1996
+++ krb5-1.0/src/lib/gssapi/krb5/acquire_cred.c Wed Feb 12 12:02:52 1997
@@ -27,10 +27,6 @@
#include <strings.h>
#endif

-/*
- * $Id: acquire_cred.c,v 1.18 1996/10/10 17:51:42 tytso Exp $
- */
-
/* get credentials corresponding to a key in the krb5 keytab.
If the default name is requested, return the name in output_princ.
If output_princ is non-NULL, the caller will use or free it, regardless
@@ -118,6 +114,15 @@
/* hooray. we made it */

cred->keytab = kt;
+
+ /* Open the replay cache for this principal. */
+ if ((code = krb5_get_server_rcache(context,
+ krb5_princ_component(context, princ, 0),
+ &cred->rcache))) {
+ *minor_status = code;
+ return(GSS_S_FAILURE);
+ }
+
return(GSS_S_COMPLETE);
}

--- krb5-1.0/src/lib/gssapi/krb5/delete_sec_context.c Sat Oct 19 01:05:19 1996
+++ krb5-1.0/src/lib/gssapi/krb5/delete_sec_context.c Wed Feb 12 12:03:09 1997
@@ -22,10 +22,6 @@

#include "gssapiP_krb5.h"

-/*
- * $Id: delete_sec_context.c,v 1.12 1996/10/19 05:05:19 tytso Exp $
- */
-
OM_uint32
krb5_gss_delete_sec_context(minor_status, context_handle, output_token)
OM_uint32 *minor_status;
@@ -92,8 +88,10 @@
krb5_free_principal(context, ctx->there);
krb5_free_keyblock(context, ctx->subkey);

- if (ctx->auth_context)
+ if (ctx->auth_context) {
+ (void) krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
krb5_auth_con_free(context, ctx->auth_context);
+ }

if (ctx->mech_used)
gss_release_oid(minor_status, &ctx->mech_used);
--- krb5-1.0/src/lib/gssapi/krb5/gssapiP_krb5.h Wed Nov 20 21:19:35 1996
+++ krb5-1.0/src/lib/gssapi/krb5/gssapiP_krb5.h Wed Feb 12 12:03:33 1997
@@ -23,10 +23,6 @@
#ifndef _GSSAPIP_KRB5_H_
#define _GSSAPIP_KRB5_H_

-/*
- * $Id: gssapiP_krb5.h,v 1.31.2.1 1996/11/21 02:19:35 marc Exp $
- */
-
#if (defined(_MSDOS) || defined(_WIN32) || defined(_MACINTOSH))
#include <k5-int.h>
#else
@@ -91,6 +87,7 @@
/* ccache (init) data */
krb5_ccache ccache;
krb5_timestamp tgt_expire;
+ krb5_rcache rcache;
} krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;

typedef struct _krb5_gss_enc_desc {
--- krb5-1.0/src/lib/gssapi/krb5/rel_cred.c Mon Jul 22 16:34:24 1996
+++ krb5-1.0/src/lib/gssapi/krb5/rel_cred.c Wed Feb 12 08:10:24 1997
@@ -29,7 +29,7 @@
{
krb5_context context;
krb5_gss_cred_id_t cred;
- krb5_error_code code1, code2;
+ krb5_error_code code1, code2, code3;

if (GSS_ERROR(kg_get_context(minor_status, &context)))
return(GSS_S_FAILURE);
@@ -54,6 +54,11 @@
else
code2 = 0;

+ if (cred->rcache)
+ code3 = krb5_rc_close(context, cred->rcache);
+ else
+ code3 = 0;
+
if (cred->princ)
krb5_free_principal(context, cred->princ);
xfree(cred);
@@ -65,6 +70,8 @@
*minor_status = code1;
if (code2)
*minor_status = code2;
+ if (code3)
+ *minor_status = code3;

return(*minor_status?GSS_S_FAILURE:GSS_S_COMPLETE);
}
Show quoted text
>Audit-Trail:

From: Tom Yu <tlyu@MIT.EDU>
To: Unassigned Problem Report <krb5-unassigned@RT-11.MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-libs/370: gssapi speedups (rcache)
Date: Wed, 12 Feb 1997 16:09:59 -0500

`Tom Yu' made changes to this PR.

*** /tmp/gnatsb0032m Wed Feb 12 16:09:06 1997
--- /tmp/gnatsc0032m Wed Feb 12 16:09:48 1997
***************
*** 11,22 ****
Reply-To: jik@cam.ov.com
To: krb5-bugs@MIT.EDU
Cc: jik@cam.ov.com
! Subject: krb5-ligs
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 370
>Category: krb5-libs
! >Synopsis: krb5-ligs
Show quoted text
>Confidential: no
>Severity: non-critical
>Priority: medium
--- 11,22 ----
Reply-To: jik@cam.ov.com
To: krb5-bugs@MIT.EDU
Cc: jik@cam.ov.com
! Subject: gssapi speedups (rcache)
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 370
>Category: krb5-libs
! >Synopsis: gssapi speedups (rcache)
Show quoted text
>Confidential: no
>Severity: non-critical
>Priority: medium

From: "Jonathan I. Kamens" <jik@cam.ov.com>
To: krb5-bugs@MIT.EDU
Cc: Subject: Re: krb5-libs/370: GSS-API should cache replay cache in accept credentials
Date: Mon, 11 Aug 1997 16:09:33 -0400

Has this change been merged back into the MIT main branch yet? Will
it be included in the next MIT release?

Thanks,

jik
Show quoted text
>Unformatted: