svn rev #21570: branches/mskrb-integ/src/kdc/
lhoward@MIT.EDU
lhoward at MIT.EDU
Mon Dec 22 22:55:05 EST 2008
http://src.mit.edu/fisheye/changelog/krb5/?cs=21570
Commit By: lhoward
Log Message:
cleanup/refactor
Changed Files:
U branches/mskrb-integ/src/kdc/do_as_req.c
U branches/mskrb-integ/src/kdc/do_tgs_req.c
U branches/mskrb-integ/src/kdc/kdc_authdata.c
U branches/mskrb-integ/src/kdc/kdc_util.h
Modified: branches/mskrb-integ/src/kdc/do_as_req.c
===================================================================
--- branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-23 03:30:04 UTC (rev 21569)
+++ branches/mskrb-integ/src/kdc/do_as_req.c 2008-12-23 03:55:04 UTC (rev 21570)
@@ -523,7 +523,6 @@
errcode = handle_authdata(kdc_context,
c_flags,
- reply.client,
&client,
&server,
&server,
@@ -531,6 +530,7 @@
&server_keyblock,
req_pkt,
request,
+ NULL, /* for_user_princ */
NULL, /* enc_tkt_request */
&enc_tkt_reply);
if (errcode) {
Modified: branches/mskrb-integ/src/kdc/do_tgs_req.c
===================================================================
--- branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-23 03:30:04 UTC (rev 21569)
+++ branches/mskrb-integ/src/kdc/do_tgs_req.c 2008-12-23 03:55:04 UTC (rev 21570)
@@ -618,10 +618,14 @@
enc_tkt_reply.authorization_data = NULL;
+ if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
+ is_local_principal(header_enc_tkt->client))
+ enc_tkt_reply.client = for_user->user;
+ else
+ enc_tkt_reply.client = header_enc_tkt->client;
+
errcode = handle_authdata(kdc_context,
c_flags,
- isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
- for_user->user : header_enc_tkt->client,
(c_nprincs != 0) ? &client : NULL,
&server,
&krbtgt,
@@ -629,6 +633,7 @@
&encrypting_key, /* U2U or server key */
pkt,
request,
+ for_user ? for_user->user : NULL,
header_enc_tkt,
&enc_tkt_reply);
if (errcode) {
@@ -645,11 +650,6 @@
}
enc_tkt_reply.session = &session_key;
- if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
- is_local_principal(header_enc_tkt->client))
- enc_tkt_reply.client = for_user->user;
- else
- enc_tkt_reply.client = header_enc_tkt->client;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
Modified: branches/mskrb-integ/src/kdc/kdc_authdata.c
===================================================================
--- branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 03:30:04 UTC (rev 21569)
+++ branches/mskrb-integ/src/kdc/kdc_authdata.c 2008-12-23 03:55:04 UTC (rev 21570)
@@ -52,13 +52,13 @@
/* MIT Kerberos 1.7 (V1) authdata plugin callback */
typedef krb5_error_code (*authdata_proc_1)
(krb5_context, unsigned int flags,
- krb5_const_principal reply_client,
krb5_db_entry *client, krb5_db_entry *server,
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply);
typedef krb5_error_code (*init_proc)
@@ -70,7 +70,6 @@
static krb5_error_code handle_request_authdata
(krb5_context context,
unsigned int flags,
- krb5_const_principal reply_client,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -78,6 +77,7 @@
krb5_keyblock *server_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply);
@@ -85,7 +85,6 @@
static krb5_error_code handle_tgt_authdata
(krb5_context context,
unsigned int flags,
- krb5_const_principal reply_client,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -93,6 +92,7 @@
krb5_keyblock *server_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply);
@@ -369,7 +369,6 @@
static krb5_error_code
handle_request_authdata (krb5_context context,
unsigned int flags,
- krb5_const_principal reply_client,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -377,6 +376,7 @@
krb5_keyblock *server_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply)
{
@@ -424,7 +424,6 @@
static krb5_error_code
handle_tgt_authdata (krb5_context context,
unsigned int flags,
- krb5_const_principal reply_client,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -432,6 +431,7 @@
krb5_keyblock *server_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply)
{
@@ -440,6 +440,7 @@
krb5_db_entry ad_entry;
int ad_nprincs = 0;
krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ);
+ krb5_const_principal actual_client;
/*
* Check whether KDC issued authorization data should be included.
@@ -474,6 +475,16 @@
}
/*
+ * We have this special case for protocol transition, because for
+ * cross-realm protocol transition the ticket reply client will
+ * not be changed until the final hop.
+ */
+ if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))
+ actual_client = for_user_princ;
+ else
+ actual_client = enc_tkt_reply->client;
+
+ /*
* If the backend does not implement the sign authdata method, then
* just copy the TGT authorization data into the reply, except for
* the constrained delegation case (which requires special handling
@@ -485,7 +496,7 @@
*/
code = sign_db_authdata(context,
flags,
- reply_client,
+ actual_client,
client,
server,
krbtgt,
@@ -538,7 +549,6 @@
krb5_error_code
handle_authdata (krb5_context context,
unsigned int flags,
- krb5_const_principal reply_client,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -546,6 +556,7 @@
krb5_keyblock *server_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply)
{
@@ -566,10 +577,11 @@
request, enc_tkt_reply);
break;
case AUTHDATA_SYSTEM_V1:
- code = asys->handle_authdata.v1(context, flags, reply_client,
+ code = asys->handle_authdata.v1(context, flags,
client, server, krbtgt,
client_key, server_key,
- req_pkt, request, enc_tkt_request,
+ req_pkt, request, for_user_princ,
+ enc_tkt_request,
enc_tkt_reply);
break;
default:
Modified: branches/mskrb-integ/src/kdc/kdc_util.h
===================================================================
--- branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-23 03:30:04 UTC (rev 21569)
+++ branches/mskrb-integ/src/kdc/kdc_util.h 2008-12-23 03:55:04 UTC (rev 21570)
@@ -179,7 +179,6 @@
krb5_error_code
handle_authdata (krb5_context context,
unsigned int flags,
- krb5_const_principal reply_client,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -187,6 +186,7 @@
krb5_keyblock *server_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
+ krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply);
More information about the cvs-krb5
mailing list