svn rev #24183: trunk/src/ include/ kdc/ lib/kdb/ plugins/kdb/db2/ plugins/kdb/ldap/
ghudson@MIT.EDU
ghudson at MIT.EDU
Mon Jul 12 14:53:54 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24183
Commit By: ghudson
Log Message:
ticket: 6749
status: open
Add check_transited_realms to the DAL table with a corresponding
libkdb5 API, replacing the CHECK_TRANSITED_REALMS method of db_invoke.
Changed Files:
U trunk/src/include/kdb.h
U trunk/src/kdc/kdc_util.c
U trunk/src/lib/kdb/kdb5.c
U trunk/src/lib/kdb/libkdb5.exports
U trunk/src/plugins/kdb/db2/db2_exp.c
U trunk/src/plugins/kdb/ldap/ldap_exp.c
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h 2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/include/kdb.h 2010-07-12 18:53:54 UTC (rev 24183)
@@ -323,7 +323,6 @@
#define KRB5_DB_LOCKMODE_PERMANENT 0x0008
/* db_invoke methods */
-#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS 0x00000020
#define KRB5_KDB_METHOD_CHECK_POLICY_AS 0x00000030
#define KRB5_KDB_METHOD_CHECK_POLICY_TGS 0x00000040
#define KRB5_KDB_METHOD_AUDIT_AS 0x00000050
@@ -331,13 +330,6 @@
#define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070
#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080
-typedef struct _kdb_check_transited_realms_req {
- krb5_magic magic;
- const krb5_data *tr_contents;
- const krb5_data *client_realm;
- const krb5_data *server_realm;
-} kdb_check_transited_realms_req;
-
typedef struct _kdb_check_policy_as_req {
krb5_magic magic;
krb5_kdc_req *request;
@@ -652,6 +644,11 @@
krb5_authdata **tgt_auth_data,
krb5_authdata ***signed_auth_data);
+krb5_error_code krb5_db_check_transited_realms(krb5_context kcontext,
+ const krb5_data *tr_contents,
+ const krb5_data *client_realm,
+ const krb5_data *server_realm);
+
krb5_error_code krb5_db_invoke ( krb5_context kcontext,
unsigned int method,
const krb5_data *req,
@@ -1256,16 +1253,20 @@
krb5_authdata ***signed_auth_data);
/*
+ * Optional: Perform a policy check on a cross-realm ticket's transited
+ * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
+ * check fails.
+ */
+ krb5_error_code (*check_transited_realms)(krb5_context kcontext,
+ const krb5_data *tr_contents,
+ const krb5_data *client_realm,
+ const krb5_data *server_realm);
+
+ /*
* Optional: Perform an operation on input data req with output stored in
* rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
* method. Defined methods are:
*
- *
- * KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS: req contains a
- * kdb_check_transited_realms_req structure. Perform a policy check on
- * a cross-realm ticket's transited field and return an error (other
- * than KRB5_PLUGIN_OP_NOTSUPP) if the check fails. Leave rep alone.
- *
* KRB5_KDB_METHOD_CHECK_POLICY_AS: req contains a kdb_check_policy_as_req
* structure. Perform a policy check on an AS request, in addition to
* the standard policy checks. Return 0 if the AS request is allowed
Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c 2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/kdc/kdc_util.c 2010-07-12 18:53:54 UTC (rev 24183)
@@ -2267,37 +2267,16 @@
const krb5_data *realm2)
{
krb5_error_code code;
- kdb_check_transited_realms_req req;
- krb5_data req_data;
- krb5_data rep_data;
- /* First check using krb5.conf */
+ /* Check using krb5.conf */
code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);
if (code)
return code;
- memset(&req, 0, sizeof(req));
-
- req.tr_contents = trans;
- req.client_realm = realm1;
- req.server_realm = realm2;
-
- req_data.data = (void *)&req;
- req_data.length = sizeof(req);
-
- rep_data.data = NULL;
- rep_data.length = 0;
-
- code = krb5_db_invoke(context,
- KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS,
- &req_data,
- &rep_data);
- if (code == KRB5_PLUGIN_OP_NOTSUPP) {
+ /* Check against the KDB module. */
+ code = krb5_db_check_transited_realms(context, trans, realm1, realm2);
+ if (code == KRB5_PLUGIN_OP_NOTSUPP)
code = 0;
- }
-
- assert(rep_data.length == 0);
-
return code;
}
Modified: trunk/src/lib/kdb/kdb5.c
===================================================================
--- trunk/src/lib/kdb/kdb5.c 2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/lib/kdb/kdb5.c 2010-07-12 18:53:54 UTC (rev 24183)
@@ -2247,6 +2247,24 @@
}
krb5_error_code
+krb5_db_check_transited_realms(krb5_context kcontext,
+ const krb5_data *tr_contents,
+ const krb5_data *client_realm,
+ const krb5_data *server_realm)
+{
+ krb5_error_code status;
+ kdb_vftabl *v;
+
+ status = get_vftabl(kcontext, &v);
+ if (status)
+ return status;
+ if (v->check_transited_realms == NULL)
+ return KRB5_PLUGIN_OP_NOTSUPP;
+ return v->check_transited_realms(kcontext, tr_contents, client_realm,
+ server_realm);
+}
+
+krb5_error_code
krb5_db_invoke(krb5_context kcontext,
unsigned int method,
const krb5_data *req,
Modified: trunk/src/lib/kdb/libkdb5.exports
===================================================================
--- trunk/src/lib/kdb/libkdb5.exports 2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/lib/kdb/libkdb5.exports 2010-07-12 18:53:54 UTC (rev 24183)
@@ -3,6 +3,7 @@
krb5_db_inited
krb5_db_alloc
krb5_db_free
+krb5_db_check_transited_realms
krb5_db_create
krb5_db_delete_principal
krb5_db_destroy
Modified: trunk/src/plugins/kdb/db2/db2_exp.c
===================================================================
--- trunk/src/plugins/kdb/db2/db2_exp.c 2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/plugins/kdb/db2/db2_exp.c 2010-07-12 18:53:54 UTC (rev 24183)
@@ -242,6 +242,6 @@
/* get_master_key_list */ wrap_krb5_db2_get_mkey_list,
/* blah blah blah */ 0,0,0,0,0,
/* promote_db */ wrap_krb5_db2_promote_db,
- 0, 0, 0,
+ 0, 0, 0, 0,
/* invoke */ wrap_krb5_db2_invoke
};
Modified: trunk/src/plugins/kdb/ldap/ldap_exp.c
===================================================================
--- trunk/src/plugins/kdb/ldap/ldap_exp.c 2010-07-12 18:33:05 UTC (rev 24182)
+++ trunk/src/plugins/kdb/ldap/ldap_exp.c 2010-07-12 18:53:54 UTC (rev 24183)
@@ -83,6 +83,7 @@
/* decrypt_key_data */ NULL,
/* encrypt_key_data */ NULL,
/* sign_authdata */ NULL,
+ /* check_transited_realms */ NULL,
/* invoke */ krb5_ldap_invoke,
};
More information about the cvs-krb5
mailing list