svn rev #24183: trunk/src/ include/ kdc/ lib/kdb/ plugins/kdb/db2/ plugins/kdb/ldap/

ghudson@MIT.EDU ghudson at MIT.EDU
Mon Jul 12 14:53:54 EDT 2010


http://src.mit.edu/fisheye/changelog/krb5/?cs=24183
Commit By: ghudson
Log Message:
ticket: 6749
status: open

Add check_transited_realms to the DAL table with a corresponding
libkdb5 API, replacing the CHECK_TRANSITED_REALMS method of db_invoke.



Changed Files:
U   trunk/src/include/kdb.h
U   trunk/src/kdc/kdc_util.c
U   trunk/src/lib/kdb/kdb5.c
U   trunk/src/lib/kdb/libkdb5.exports
U   trunk/src/plugins/kdb/db2/db2_exp.c
U   trunk/src/plugins/kdb/ldap/ldap_exp.c
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h	2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/include/kdb.h	2010-07-12 18:53:54 UTC (rev 24183)
@@ -323,7 +323,6 @@
 #define KRB5_DB_LOCKMODE_PERMANENT    0x0008
 
 /* db_invoke methods */
-#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS          0x00000020
 #define KRB5_KDB_METHOD_CHECK_POLICY_AS                 0x00000030
 #define KRB5_KDB_METHOD_CHECK_POLICY_TGS                0x00000040
 #define KRB5_KDB_METHOD_AUDIT_AS                        0x00000050
@@ -331,13 +330,6 @@
 #define KRB5_KDB_METHOD_REFRESH_POLICY                  0x00000070
 #define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE       0x00000080
 
-typedef struct _kdb_check_transited_realms_req {
-    krb5_magic magic;
-    const krb5_data *tr_contents;
-    const krb5_data *client_realm;
-    const krb5_data *server_realm;
-} kdb_check_transited_realms_req;
-
 typedef struct _kdb_check_policy_as_req {
     krb5_magic magic;
     krb5_kdc_req *request;
@@ -652,6 +644,11 @@
                                       krb5_authdata **tgt_auth_data,
                                       krb5_authdata ***signed_auth_data);
 
+krb5_error_code krb5_db_check_transited_realms(krb5_context kcontext,
+                                               const krb5_data *tr_contents,
+                                               const krb5_data *client_realm,
+                                               const krb5_data *server_realm);
+
 krb5_error_code krb5_db_invoke ( krb5_context kcontext,
                                  unsigned int method,
                                  const krb5_data *req,
@@ -1256,16 +1253,20 @@
                                      krb5_authdata ***signed_auth_data);
 
     /*
+     * Optional: Perform a policy check on a cross-realm ticket's transited
+     * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
+     * check fails.
+     */
+    krb5_error_code (*check_transited_realms)(krb5_context kcontext,
+                                              const krb5_data *tr_contents,
+                                              const krb5_data *client_realm,
+                                              const krb5_data *server_realm);
+
+    /*
      * Optional: Perform an operation on input data req with output stored in
      * rep.  Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
      * method.  Defined methods are:
      *
-     *
-     * KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS: req contains a
-     *     kdb_check_transited_realms_req structure.  Perform a policy check on
-     *     a cross-realm ticket's transited field and return an error (other
-     *     than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.  Leave rep alone.
-     *
      * KRB5_KDB_METHOD_CHECK_POLICY_AS: req contains a kdb_check_policy_as_req
      *     structure.  Perform a policy check on an AS request, in addition to
      *     the standard policy checks.  Return 0 if the AS request is allowed

Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c	2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/kdc/kdc_util.c	2010-07-12 18:53:54 UTC (rev 24183)
@@ -2267,37 +2267,16 @@
                          const krb5_data *realm2)
 {
     krb5_error_code             code;
-    kdb_check_transited_realms_req      req;
-    krb5_data                   req_data;
-    krb5_data                   rep_data;
 
-    /* First check using krb5.conf */
+    /* Check using krb5.conf */
     code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);
     if (code)
         return code;
 
-    memset(&req, 0, sizeof(req));
-
-    req.tr_contents             = trans;
-    req.client_realm            = realm1;
-    req.server_realm            = realm2;
-
-    req_data.data = (void *)&req;
-    req_data.length = sizeof(req);
-
-    rep_data.data = NULL;
-    rep_data.length = 0;
-
-    code = krb5_db_invoke(context,
-                          KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS,
-                          &req_data,
-                          &rep_data);
-    if (code == KRB5_PLUGIN_OP_NOTSUPP) {
+    /* Check against the KDB module. */
+    code = krb5_db_check_transited_realms(context, trans, realm1, realm2);
+    if (code == KRB5_PLUGIN_OP_NOTSUPP)
         code = 0;
-    }
-
-    assert(rep_data.length == 0);
-
     return code;
 }
 

Modified: trunk/src/lib/kdb/kdb5.c
===================================================================
--- trunk/src/lib/kdb/kdb5.c	2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/lib/kdb/kdb5.c	2010-07-12 18:53:54 UTC (rev 24183)
@@ -2247,6 +2247,24 @@
 }
 
 krb5_error_code
+krb5_db_check_transited_realms(krb5_context kcontext,
+                               const krb5_data *tr_contents,
+                               const krb5_data *client_realm,
+                               const krb5_data *server_realm)
+{
+    krb5_error_code status;
+    kdb_vftabl *v;
+
+    status = get_vftabl(kcontext, &v);
+    if (status)
+        return status;
+    if (v->check_transited_realms == NULL)
+        return KRB5_PLUGIN_OP_NOTSUPP;
+    return v->check_transited_realms(kcontext, tr_contents, client_realm,
+                                     server_realm);
+}
+
+krb5_error_code
 krb5_db_invoke(krb5_context kcontext,
                unsigned int method,
                const krb5_data *req,

Modified: trunk/src/lib/kdb/libkdb5.exports
===================================================================
--- trunk/src/lib/kdb/libkdb5.exports	2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/lib/kdb/libkdb5.exports	2010-07-12 18:53:54 UTC (rev 24183)
@@ -3,6 +3,7 @@
 krb5_db_inited
 krb5_db_alloc
 krb5_db_free
+krb5_db_check_transited_realms
 krb5_db_create
 krb5_db_delete_principal
 krb5_db_destroy

Modified: trunk/src/plugins/kdb/db2/db2_exp.c
===================================================================
--- trunk/src/plugins/kdb/db2/db2_exp.c	2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/plugins/kdb/db2/db2_exp.c	2010-07-12 18:53:54 UTC (rev 24183)
@@ -242,6 +242,6 @@
     /* get_master_key_list */           wrap_krb5_db2_get_mkey_list,
     /* blah blah blah */ 0,0,0,0,0,
     /* promote_db */                    wrap_krb5_db2_promote_db,
-    0, 0, 0,
+    0, 0, 0, 0,
     /* invoke */                        wrap_krb5_db2_invoke
 };

Modified: trunk/src/plugins/kdb/ldap/ldap_exp.c
===================================================================
--- trunk/src/plugins/kdb/ldap/ldap_exp.c	2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/plugins/kdb/ldap/ldap_exp.c	2010-07-12 18:53:54 UTC (rev 24183)
@@ -83,6 +83,7 @@
     /* decrypt_key_data */                  NULL,
     /* encrypt_key_data */                  NULL,
     /* sign_authdata */                     NULL,
+    /* check_transited_realms */            NULL,
     /* invoke */                            krb5_ldap_invoke,
 
 };




More information about the cvs-krb5 mailing list