svn rev #23461: branches/fast-negotiate/src/ clients/kinit/ include/ include/krb5/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Dec 9 12:54:07 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23461
Commit By: ghudson
Log Message:
Fix some formatting issues.
Changed Files:
U branches/fast-negotiate/src/clients/kinit/kinit.c
U branches/fast-negotiate/src/include/k5-int.h
U branches/fast-negotiate/src/include/krb5/krb5.hin
U branches/fast-negotiate/src/kdc/do_as_req.c
U branches/fast-negotiate/src/kdc/do_tgs_req.c
U branches/fast-negotiate/src/kdc/kdc_preauth.c
U branches/fast-negotiate/src/kdc/kdc_util.c
U branches/fast-negotiate/src/lib/crypto/krb/make_checksum.c
U branches/fast-negotiate/src/lib/krb5/asn.1/krb5_decode.c
U branches/fast-negotiate/src/lib/krb5/krb/fast.c
U branches/fast-negotiate/src/lib/krb5/krb/fast.h
U branches/fast-negotiate/src/lib/krb5/krb/get_in_tkt.c
U branches/fast-negotiate/src/lib/krb5/krb/gic_opt.c
Modified: branches/fast-negotiate/src/clients/kinit/kinit.c
===================================================================
--- branches/fast-negotiate/src/clients/kinit/kinit.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/clients/kinit/kinit.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -682,8 +682,8 @@
}
if ((opts->action != INIT_PW) && (opts->action != INIT_KT)) {
- code = krb5_cc_initialize(k5->ctx, k5->cc,
- opts->canonicalize ? my_creds.client : k5->me);
+ code = krb5_cc_initialize(k5->ctx, k5->cc, opts->canonicalize ?
+ my_creds.client : k5->me);
if (code) {
com_err(progname, code, "when initializing cache %s",
opts->k5_cache_name?opts->k5_cache_name:"");
Modified: branches/fast-negotiate/src/include/k5-int.h
===================================================================
--- branches/fast-negotiate/src/include/k5-int.h 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/include/k5-int.h 2009-12-09 17:54:07 UTC (rev 23461)
@@ -257,9 +257,8 @@
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
#define KRB5_CONF_V4_REALM "v4_realm"
#define KRB5_CONF_ASTERISK "*"
-#define KRB5_CCCONF_FAST_AVAIL "fast_avail"
+#define KRB5_CONF_FAST_AVAIL "fast_avail"
-
/* Error codes used in KRB_ERROR protocol messages.
Return values of library routines are based on a different error table
(which allows non-ambiguous error codes between subsystems) */
Modified: branches/fast-negotiate/src/include/krb5/krb5.hin
===================================================================
--- branches/fast-negotiate/src/include/krb5/krb5.hin 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/include/krb5/krb5.hin 2009-12-09 17:54:07 UTC (rev 23461)
@@ -930,7 +930,7 @@
#define TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000
#define TKT_FLG_OK_AS_DELEGATE 0x00040000
#define TKT_FLG_ANONYMOUS 0x00020000
-#define TKT_FLG_ENC_PA_REP 0x10000
+#define TKT_FLG_ENC_PA_REP 0x00010000
/* #define TKT_FLG_RESERVED 0x00008000 */
/* #define TKT_FLG_RESERVED 0x00004000 */
/* #define TKT_FLG_RESERVED 0x00002000 */
@@ -1035,7 +1035,6 @@
#define KRB5_PADATA_ENCRYPTED_CHALLENGE 138
#define KRB5_ENCPADATA_REQ_ENC_PA_REP 149
-
#define KRB5_SAM_USE_SAD_AS_KEY 0x80000000
#define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000
#define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /* currently must be zero */
@@ -2271,35 +2270,43 @@
krb5_get_init_creds_opt *opt, const char *attr,
const char *value);
+/**
+ * This API sets a ccache name that will contain some TGT on calls to
+ * t_init_creds functions. If set, this ccache will be used for FAST
+ * (draft-ietf-krb-wg-preauth-framework) to protect the AS-REQ from observation
+ * and active attack. If the fast_ccache_name is set, then FAST may be
+ * required by the client library. In this and future versions, FAST will be
+ * used if available; krb5_get_init_creds_opt_set_fast_flags() may be used to
+ * require that the request fail is FAST is unavailable. In MIT Kerberos 1.7
+ * setting the fast ccache at all required that FAST be present or the request
+ * would fail.
+ */
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
-/**This API sets a ccache name that will contain some TGT on calls to
- get_init_creds functions. If set, this ccache will be used for FAST
- (draft-ietf-krb-wg-preauth-framework) to protect the AS-REQ from
- observation and active attack. If the fast_ccache_name is set, then FAST
- may be required by the client library. In this and future versions, FAST
- will be used if available; krb5_get_init_creds_opt_set_fast_flags() may be
- used to require that the request fail is FAST is unavailable. In MIT
- Kerberos 1.7 setting the fast ccache at all required that FAST be present
- or the request would fail.*/
krb5_get_init_creds_opt *opt,
const char *fast_ccache_name);
-/**Set a ccache where resulting credentials will be stored. If set, then the
+/**
+ * Set a ccache where resulting credentials will be stored. If set, then the
* krb5_get_init_creds family of APIs will write out credentials to the given
* ccache. Setting an output ccache is desirable both because it simplifies
* calling code and because it permits the krb5_get_init_creds APIs to write
* out configuration information about the realm to the ccache.
*/
krb5_error_code KRB5_CALLCONV
-krb5_get_init_creds_opt_set_out_ccache
-(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache);
+krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ krb5_ccache ccache);
+
krb5_error_code KRB5_CALLCONV
-krb5_get_init_creds_opt_set_fast_flags
-(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags);
+krb5_get_init_creds_opt_set_fast_flags(krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ krb5_flags flags);
+
krb5_error_code KRB5_CALLCONV
-krb5_get_init_creds_opt_get_fast_flags
-(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags);
+krb5_get_init_creds_opt_get_fast_flags(krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ krb5_flags *out_flags);
/* Fast flags*/
#define KRB5_FAST_REQUIRED 1l<<0 /*!< Require KDC to support FAST*/
Modified: branches/fast-negotiate/src/kdc/do_as_req.c
===================================================================
--- branches/fast-negotiate/src/kdc/do_as_req.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/kdc/do_as_req.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -603,8 +603,7 @@
goto errout;
}
errcode = return_enc_padata(kdc_context, req_pkt, request,
- as_encrypting_key,
- &server, &reply_encpart);
+ as_encrypting_key, &server, &reply_encpart);
if (errcode) {
status = "KDC_RETURN_ENC_PADATA";
goto errout;
Modified: branches/fast-negotiate/src/kdc/do_tgs_req.c
===================================================================
--- branches/fast-negotiate/src/kdc/do_tgs_req.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/kdc/do_tgs_req.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -948,28 +948,28 @@
goto cleanup;
}
if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
+ int idx = 0;
+
errcode = return_enc_padata(kdc_context, pkt, request,
- reply_key,
- &server, &reply_encpart);
+ reply_key, &server, &reply_encpart);
if (errcode) {
status = "KDC_RETURN_ENC_PADATA";
goto cleanup;
- } else {/*Not refferal*/
- int idx = 0;
- reply_encpart.enc_padata = calloc(3, sizeof(krb5_pa_data *));
- if (reply_encpart.enc_padata == NULL) {
- errcode = ENOMEM;
- status = "Allocating enc_padata";
- goto cleanup;
- }
- errcode = kdc_handle_protected_negotiation(pkt, request,
- reply_key, reply_encpart.enc_padata, &idx);
- if (errcode != 0) {
- status = "protected negotiation";
- goto cleanup;
- }
}
-
+ /* Not referral. */
+ reply_encpart.enc_padata = calloc(3, sizeof(krb5_pa_data *));
+ if (reply_encpart.enc_padata == NULL) {
+ errcode = ENOMEM;
+ status = "Allocating enc_padata";
+ goto cleanup;
+ }
+ errcode = kdc_handle_protected_negotiation(pkt, request, reply_key,
+ reply_encpart.enc_padata,
+ &idx);
+ if (errcode != 0) {
+ status = "protected negotiation";
+ goto cleanup;
+ }
}
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
Modified: branches/fast-negotiate/src/kdc/kdc_preauth.c
===================================================================
--- branches/fast-negotiate/src/kdc/kdc_preauth.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/kdc/kdc_preauth.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -3064,24 +3064,21 @@
}
krb5_error_code
-return_enc_padata(krb5_context context,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_keyblock *reply_key,
- krb5_db_entry *server,
- krb5_enc_kdc_rep_part *reply_encpart)
+return_enc_padata(krb5_context context, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_keyblock *reply_key,
+ krb5_db_entry *server, krb5_enc_kdc_rep_part *reply_encpart)
{
krb5_error_code code;
krb5_tl_data tl_data;
krb5_pa_data *pa_data;
int idx = 0;
- /* This should be initialized and only used for Win2K compat and other
- * specific standardized uses such as FAST negotiation.*/
+ /* This should be initialized and only used for Win2K compat and other
+ * specific standardized uses such as FAST negotiation. */
assert(reply_encpart->enc_padata == NULL);
- reply_encpart->enc_padata = (krb5_pa_data **)calloc(4, sizeof(krb5_pa_data *));
- if (reply_encpart->enc_padata == NULL) {
+ reply_encpart->enc_padata = calloc(4, sizeof(krb5_pa_data *));
+ if (reply_encpart->enc_padata == NULL)
return ENOMEM;
- }
tl_data.tl_data_type = KRB5_TL_SVR_REFERRAL_DATA;
code = krb5_dbe_lookup_tl_data(context, server, &tl_data);
if (code || tl_data.tl_data_length == 0)
Modified: branches/fast-negotiate/src/kdc/kdc_util.c
===================================================================
--- branches/fast-negotiate/src/kdc/kdc_util.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/kdc/kdc_util.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -2661,15 +2661,17 @@
* @param index in/out index into @c out_enc_padata for next item
*/
krb5_error_code
-kdc_handle_protected_negotiation( krb5_data *req_pkt, krb5_kdc_req *request,
- const krb5_keyblock *reply_key, krb5_pa_data **out_enc_padata, int *idx)
+kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request,
+ const krb5_keyblock *reply_key,
+ krb5_pa_data **out_enc_padata, int *idx)
{
krb5_error_code retval = 0;
krb5_checksum checksum;
krb5_data *out = NULL;
krb5_pa_data *pa;
assert(out_enc_padata != NULL);
- pa = krb5int_find_pa_data(kdc_context, request->padata, KRB5_ENCPADATA_REQ_ENC_PA_REP);
+ pa = krb5int_find_pa_data(kdc_context, request->padata,
+ KRB5_ENCPADATA_REQ_ENC_PA_REP);
if (pa == NULL)
return 0;
checksum.contents = NULL;
@@ -2678,8 +2680,8 @@
return ENOMEM;
pa->magic = KV5M_PA_DATA;
pa->pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP;
- retval = krb5_c_make_checksum(kdc_context,0, reply_key, KRB5_KEYUSAGE_AS_REQ,
- req_pkt, &checksum);
+ retval = krb5_c_make_checksum(kdc_context,0, reply_key,
+ KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum);
if (retval != 0)
goto cleanup;
retval = encode_krb5_checksum(&checksum, &out);
Modified: branches/fast-negotiate/src/lib/crypto/krb/make_checksum.c
===================================================================
--- branches/fast-negotiate/src/lib/crypto/krb/make_checksum.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/lib/crypto/krb/make_checksum.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -30,7 +30,7 @@
#include "etypes.h"
#include "dk.h"
-/* A 0 checksum type means use the mandatory checksum*/
+/* A 0 checksum type means use the mandatory checksum. */
krb5_error_code KRB5_CALLCONV
krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype,
@@ -47,7 +47,8 @@
size_t cksumlen;
if (cksumtype == 0) {
- ret = krb5int_c_mandatory_cksumtype(context, krb5_k_key_enctype(context, key), &cksumtype);
+ ret = krb5int_c_mandatory_cksumtype(context, key->keyblock.enctype,
+ &cksumtype);
if (ret != 0)
return ret;
}
Modified: branches/fast-negotiate/src/lib/krb5/asn.1/krb5_decode.c
===================================================================
--- branches/fast-negotiate/src/lib/krb5/asn.1/krb5_decode.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/lib/krb5/asn.1/krb5_decode.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -702,7 +702,8 @@
return retval;
}
-krb5_error_code decode_krb5_checksum(const krb5_data *code, krb5_checksum **repptr)
+krb5_error_code
+decode_krb5_checksum(const krb5_data *code, krb5_checksum **repptr)
{
setup_buf_only(krb5_checksum *);
alloc_field(rep);
Modified: branches/fast-negotiate/src/lib/krb5/krb/fast.c
===================================================================
--- branches/fast-negotiate/src/lib/krb5/krb/fast.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/lib/krb5/krb/fast.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -56,7 +56,7 @@
static krb5_error_code
fast_armor_ap_request(krb5_context context,
struct krb5int_fast_request_state *state,
- krb5_ccache ccache, krb5_principal target_principal)
+ krb5_ccache ccache, krb5_principal target_principal)
{
krb5_error_code retval = 0;
krb5_creds creds, *out_creds = NULL;
@@ -97,7 +97,7 @@
krb5_free_keyblock(context, subkey);
if (out_creds)
krb5_free_creds(context, out_creds);
- /*target_principal is owned by caller*/
+ /* target_principal is owned by caller. */
creds.server = NULL;
krb5_free_cred_contents(context, &creds);
if (encoded_authenticator.data)
@@ -147,14 +147,15 @@
state->fast_state_flags |= KRB5INT_FAST_ARMOR_AVAIL;
retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name,
&ccache);
- if (retval == 0)
- retval = krb5_tgtname(context, target_realm, target_realm, &target_principal);
if (retval == 0) {
+ retval = krb5_tgtname(context, target_realm, target_realm,
+ &target_principal);
+ }
+ if (retval == 0) {
krb5_data config_data;
config_data.data = NULL;
- retval = krb5_cc_get_config(context, ccache,
- target_principal, KRB5_CCCONF_FAST_AVAIL,
- &config_data);
+ retval = krb5_cc_get_config(context, ccache, target_principal,
+ KRB5_CONF_FAST_AVAIL, &config_data);
if ((retval == 0) && config_data.data )
state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
krb5_free_data_contents(context, &config_data);
@@ -162,9 +163,10 @@
}
if (opte->opt_private->fast_flags& KRB5_FAST_REQUIRED)
state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
- if (retval==0 && (state->fast_state_flags & KRB5INT_FAST_DO_FAST))
+ if (retval == 0 && (state->fast_state_flags & KRB5INT_FAST_DO_FAST)) {
retval = fast_armor_ap_request(context, state, ccache,
-target_principal);
+ target_principal);
+ }
if (retval != 0) {
const char * errmsg;
errmsg = krb5_get_error_message(context, retval);
@@ -552,16 +554,19 @@
}
-krb5_error_code krb5int_fast_verify_nego
-(krb5_context context, struct krb5int_fast_request_state *state,
- krb5_kdc_rep *rep, krb5_data *request,
- krb5_keyblock *decrypting_key, krb5_boolean *fast_avail)
+krb5_error_code
+krb5int_fast_verify_nego(krb5_context context,
+ struct krb5int_fast_request_state *state,
+ krb5_kdc_rep *rep, krb5_data *request,
+ krb5_keyblock *decrypting_key,
+ krb5_boolean *fast_avail)
{
krb5_error_code retval = 0;
krb5_checksum *checksum = NULL;
krb5_pa_data *pa;
krb5_data scratch;
krb5_boolean valid;
+
if (rep->enc_part2->flags& TKT_FLG_ENC_PA_REP) {
pa = krb5int_find_pa_data(context, rep->enc_part2->enc_padata,
KRB5_ENCPADATA_REQ_ENC_PA_REP);
@@ -574,29 +579,30 @@
if (retval == 0)
retval = decode_krb5_checksum(&scratch, &checksum);
if (retval == 0)
- retval =krb5_c_verify_checksum(context, decrypting_key, KRB5_KEYUSAGE_AS_REQ,
- request, checksum, &valid);
+ retval = krb5_c_verify_checksum(context, decrypting_key,
+ KRB5_KEYUSAGE_AS_REQ,
+ request, checksum, &valid);
if (retval == 0 &&valid == 0)
retval = KRB5_KDCREP_MODIFIED;
if (retval == 0) {
pa = krb5int_find_pa_data(context, rep->enc_part2->enc_padata,
KRB5_PADATA_FX_FAST);
- if (pa)
- *fast_avail = 1;
- else *fast_avail = 0;
+ *fast_avail = (pa != NULL);
}
}
if (checksum)
krb5_free_checksum(context, checksum);
return retval;
}
-krb5_boolean krb5int_upgrade_to_fast_p
-(krb5_context context, struct krb5int_fast_request_state *state,
- krb5_pa_data **padata)
+
+krb5_boolean
+krb5int_upgrade_to_fast_p(krb5_context context,
+ struct krb5int_fast_request_state *state,
+ krb5_pa_data **padata)
{
if (state->armor_key != NULL)
return 0; /*already using FAST*/
- if (! (state->fast_state_flags & KRB5INT_FAST_ARMOR_AVAIL))
+ if (!(state->fast_state_flags & KRB5INT_FAST_ARMOR_AVAIL))
return 0;
if (krb5int_find_pa_data(context, padata, KRB5_PADATA_FX_FAST) != NULL) {
state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
Modified: branches/fast-negotiate/src/lib/krb5/krb/fast.h
===================================================================
--- branches/fast-negotiate/src/lib/krb5/krb/fast.h 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/lib/krb5/krb/fast.h 2009-12-09 17:54:07 UTC (rev 23461)
@@ -41,10 +41,10 @@
krb5_ui_4 fast_options;
krb5_int32 nonce;
};
-#define KRB5INT_FAST_DO_FAST (1l<<0) /*perform FAST*/
+
+#define KRB5INT_FAST_DO_FAST (1l<<0) /* Perform FAST */
#define KRB5INT_FAST_ARMOR_AVAIL (1l<<1)
-
krb5_error_code
krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state,
krb5_kdc_req *request, krb5_data **encoded_req_body);
@@ -82,15 +82,16 @@
krb5_keyblock *output_key);
-krb5_error_code krb5int_fast_verify_nego
-(krb5_context context, struct krb5int_fast_request_state *state,
- krb5_kdc_rep *rep, krb5_data *request,
- krb5_keyblock *decrypting_key, krb5_boolean *fast_avail);
+krb5_error_code
+krb5int_fast_verify_nego(krb5_context context,
+ struct krb5int_fast_request_state *state,
+ krb5_kdc_rep *rep, krb5_data *request,
+ krb5_keyblock *decrypting_key,
+ krb5_boolean *fast_avail);
-krb5_boolean krb5int_upgrade_to_fast_p
-(krb5_context context, struct krb5int_fast_request_state *state, krb5_pa_data **padata);
+krb5_boolean
+krb5int_upgrade_to_fast_p(krb5_context context,
+ struct krb5int_fast_request_state *state,
+ krb5_pa_data **padata);
-
-
-
#endif
Modified: branches/fast-negotiate/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- branches/fast-negotiate/src/lib/krb5/krb/get_in_tkt.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/lib/krb5/krb/get_in_tkt.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -545,7 +545,8 @@
&& data_eq(tgt->server->realm, tgt->client->realm));
}
-static krb5_error_code request_enc_pa_rep(krb5_pa_data ***padptr)
+static krb5_error_code
+request_enc_pa_rep(krb5_pa_data ***padptr)
{
size_t size = 0;
krb5_pa_data **pad = *padptr;
@@ -1257,8 +1258,9 @@
return code;
}
-/** Throw away any state related to specific realm either at the beginning of a
- * request, or when a realm changes, or when we start to use FAST after
+/**
+ * Throw away any state related to specific realm either at the beginning of a
+ * request, or when a realm changes, or when we start to use FAST after
* assuming we would not do so.
*
* @param padata padata from an error if an error from the realm we now expect
@@ -1266,8 +1268,7 @@
* such as whether FAST is used.
*/
static krb5_error_code
-restart_init_creds_loop(krb5_context context,
- struct _krb5_init_creds_context *ctx,
+restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
krb5_pa_data **padata)
{
krb5_error_code code = 0;
@@ -1291,22 +1292,25 @@
krb5_free_data(context, ctx->encoded_request_body);
ctx->encoded_request_body = NULL;
}
- if (ctx->opte && (ctx->opte->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) {
+ if (ctx->opte &&
+ (ctx->opte->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) {
if ((code = make_preauth_list(context, ctx->opte->preauth_list,
ctx->opte->preauth_list_length,
&ctx->preauth_to_use)))
goto cleanup;
}
- /* set the request nonce */
+ /* Set the request nonce. */
random_data.length = 4;
random_data.data = (char *)random_buf;
code = krb5_c_random_make_octets(context, &random_data);
if (code !=0)
goto cleanup;
-/* See RT ticket 3196 at MIT. If we set the high bit, we
- may have compatibility problems with Heimdal, because
- we (incorrectly) encode this value as signed. */
+ /*
+ * See RT ticket 3196 at MIT. If we set the high bit, we may have
+ * compatibility problems with Heimdal, because we (incorrectly) encode
+ * this value as signed.
+ */
ctx->request->nonce = 0x7fffffff & load_32_n(random_buf);
krb5_free_principal(context, ctx->request->server);
ctx->request->server = NULL;
@@ -1720,50 +1724,49 @@
return code;
}
-/* The control flow is complicated. In order to switch from non-FAST mode
- * to FAST mode, we need to reset our pre-authentication state. FAST
- * negotiation attempts to make sure we rarely have to do this. When FAST
- * negotiation is working, we record whether FAST is available when we
- * obtain an armor ticket; if so, we start out with FAST enabled . There
- * are two complicated situations.
+/*
+ * The control flow is complicated. In order to switch from non-FAST mode to
+ * FAST mode, we need to reset our pre-authentication state. FAST negotiation
+ * attempts to make sure we rarely have to do this. When FAST negotiation is
+ * working, we record whether FAST is available when we obtain an armor ticket;
+ * if so, we start out with FAST enabled . There are two complicated
+ * situations.
*
* First, if we get a PREAUTH_REQUIRED error including PADATA_FX_FAST back from
* a KDC in a case where we were not expecting to use FAST, and we have an
- * armor ticket available, then we want to use FAST. That involves
- * clearing out the pre-auth state, reinitializing the plugins and trying
- * again with an armor key.
+ * armor ticket available, then we want to use FAST. That involves clearing
+ * out the pre-auth state, reinitializing the plugins and trying again with an
+ * armor key.
*
- * Secondly, using the negotiation can cause problems with some older
- * KDCs. Negotiation involves including a special padata item. Some KDCs,
- * including MIT prior to 1.7, will return PREAUTH_FAILED rather than
- * PREAUTH_REQUIRED in pre-authentication is required and unknown padata are
- * included in the request. To make matters worse, these KDCs typically do
- * not include a list of padata in PREAUTH_FAILED errors. So, if we get
- * PREAUTH_FAILED and we generated no pre-authentication other than the
- * negotiation then we want to retry without negotiation. In this case it
- * is probably also desirable to retry with the preauth plugin state cleared.
+ * Secondly, using the negotiation can cause problems with some older KDCs.
+ * Negotiation involves including a special padata item. Some KDCs, including
+ * MIT prior to 1.7, will return PREAUTH_FAILED rather than PREAUTH_REQUIRED in
+ * pre-authentication is required and unknown padata are included in the
+ * request. To make matters worse, these KDCs typically do not include a list
+ * of padata in PREAUTH_FAILED errors. So, if we get PREAUTH_FAILED and we
+ * generated no pre-authentication other than the negotiation then we want to
+ * retry without negotiation. In this case it is probably also desirable to
+ * retry with the preauth plugin state cleared.
*
- * In all these cases we should not start over more than once. Control
- * flow is managed by several variables.
+ * In all these cases we should not start over more than once. Control flow is
+ * managed by several variables.
*
- * sent_nontrivial_preauth: if true, we sent preauth other than
- * negotiation; no restart on PREAUTH_FAILED
+ * sent_nontrivial_preauth: if true, we sent preauth other than negotiation;
+ * no restart on PREAUTH_FAILED
*
- * KRB5INT_FAST_ARMOR_AVAIL: fast_state_flag
- * if desired we could generate armor; if not set, then we can't use FAST
- * even if the KDC wants to.
+ * KRB5INT_FAST_ARMOR_AVAIL: fast_state_flag if desired we could generate
+ * armor; if not set, then we can't use FAST even if the KDC wants to.
*
- * have_restarted: true if we've already restarted
+ * have_restarted: true if we've already restarted
*/
static krb5_boolean
-negotiation_requests_restart(krb5_context context,
- struct _krb5_init_creds_context *ctx,
+negotiation_requests_restart(krb5_context context, krb5_init_creds_context ctx,
krb5_pa_data **padata)
{
- if ((!ctx->have_restarted) && (
- krb5int_upgrade_to_fast_p(context, ctx->fast_state, padata)
- || (ctx->err_reply->error == KDC_ERR_PREAUTH_FAILED &&
- (!ctx->sent_nontrivial_preauth))))
+ if (!ctx->have_restarted &&
+ (krb5int_upgrade_to_fast_p(context, ctx->fast_state, padata) ||
+ (ctx->err_reply->error == KDC_ERR_PREAUTH_FAILED &&
+ !ctx->sent_nontrivial_preauth)))
return 1;
return 0;
}
@@ -1807,7 +1810,8 @@
code = restart_init_creds_loop(context, ctx, padata);
krb5_free_error(context, ctx->err_reply);
ctx->err_reply = NULL;
- }else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) {
+ } else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED &&
+ retry) {
/* reset the list of preauth types to try */
krb5_free_pa_data(context, ctx->preauth_to_use);
ctx->preauth_to_use = padata;
@@ -1834,7 +1838,8 @@
krb5_free_error(context, ctx->err_reply);
ctx->err_reply = NULL;
krb5_preauth_request_context_fini(context);
- ctx->have_restarted = 0; /*permit another negotiation based restart*/
+ /* Permit another negotiation based restart. */
+ ctx->have_restarted = 0;
ctx->sent_nontrivial_preauth = 0;
code = restart_init_creds_loop(context, ctx, NULL);
if (code != 0)
@@ -1964,7 +1969,7 @@
ctx->reply, &ctx->cred, NULL);
if (code != 0)
goto cleanup;
- if (ctx->opte&&ctx->opte->opt_private->out_ccache) {
+ if (ctx->opte && ctx->opte->opt_private->out_ccache) {
krb5_ccache out_ccache = ctx->opte->opt_private->out_ccache;
krb5_data config_data;
code = krb5_cc_initialize(context, out_ccache, ctx->cred.client);
@@ -1977,13 +1982,14 @@
config_data.data = "yes";
config_data.length = strlen(config_data.data);
code = krb5_cc_set_config(context, out_ccache, ctx->cred.server,
- KRB5_CCCONF_FAST_AVAIL, &config_data);
+ KRB5_CONF_FAST_AVAIL, &config_data);
}
cc_cleanup:
if (code !=0) {
const char *msg;
msg = krb5_get_error_message(context, code);
- krb5_set_error_message(context, code, "%s while storing credentials", msg);
+ krb5_set_error_message(context, code,
+ "%s while storing credentials", msg);
krb5_free_error_message(context, msg);
}
}
Modified: branches/fast-negotiate/src/lib/krb5/krb/gic_opt.c
===================================================================
--- branches/fast-negotiate/src/lib/krb5/krb/gic_opt.c 2009-12-09 16:52:41 UTC (rev 23460)
+++ branches/fast-negotiate/src/lib/krb5/krb/gic_opt.c 2009-12-09 17:54:07 UTC (rev 23461)
@@ -490,8 +490,9 @@
}
krb5_error_code KRB5_CALLCONV
-krb5_get_init_creds_opt_set_out_ccache
-(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache)
+krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ krb5_ccache ccache)
{
krb5_error_code retval = 0;
krb5_gic_opt_ext *opte;
@@ -510,8 +511,9 @@
}
krb5_error_code KRB5_CALLCONV
-krb5_get_init_creds_opt_set_fast_flags
-(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags)
+krb5_get_init_creds_opt_set_fast_flags(krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ krb5_flags flags)
{
krb5_error_code retval = 0;
krb5_gic_opt_ext *opte;
@@ -525,8 +527,9 @@
}
krb5_error_code KRB5_CALLCONV
-krb5_get_init_creds_opt_get_fast_flags
-(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags)
+krb5_get_init_creds_opt_get_fast_flags(krb5_context context,
+ krb5_get_init_creds_opt *opt,
+ krb5_flags *out_flags)
{
krb5_error_code retval = 0;
krb5_gic_opt_ext *opte;
More information about the cvs-krb5
mailing list