| From: | ghudson@mit.edu |
| Subject: | krb5_init_creds_step() can make synchronous TGS requests for FAST armor TGTs |
| Date: | Thu, 17 Dec 2020 00:27:37 -0500 |
| To: | rt@krbdev.mit.edu |
get_in_tkt.c calls krb5int_fast_as_armor(), which calls fast_armor_ap_request() if the DO_FAST flag is set. To get the armor TGT, fast_armor_ap_request() calls krb5_get_credentials() with no special flags. Under ordinary circumstances, this just fetches the client-realm TGT from the cache. However, after a realm referral, krb5_get_credentials() may be asked to retrieve a TGT for another realm, in which case it will make TGS requests.
This behavior is intentional, but it does not honor the stepwise contract of krb5_init_creds_step() (which was implemented later than the FAST code). Instead of using the sequential API, we should create a TGS state machine to be referenced from the AS step machine, and step through it until it is complete.
This behavior is intentional, but it does not honor the stepwise contract of krb5_init_creds_step() (which was implemented later than the FAST code). Instead of using the sequential API, we should create a TGS state machine to be referenced from the AS step machine, and step through it until it is complete.