svn rev #24012: trunk/src/ include/ include/krb5/ lib/krb5/ lib/krb5/krb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed May 12 16:49:11 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24012
Commit By: ghudson
Log Message:
Reimplement krb5_get_in_tkt_with_skey in terms of krb5_get_init_creds,
similar to how the password and keytab equivalents were done.
Eliminate krb5_get_in_tkt. It's been very hard to use since we made
krb5_kdc_rep_decrypt_proc private (in krb5 1.7 the prototype was taken
out of krb5.h altogether), and it's unlikely that anything would have
used it directly in the first place.
Remove and/or simplify a lot of code depended on by krb_get_in_tkt,
including all of preauth.c.
Changed Files:
U trunk/src/include/k5-int.h
U trunk/src/include/krb5/krb5.hin
U trunk/src/lib/krb5/krb/Makefile.in
U trunk/src/lib/krb5/krb/get_in_tkt.c
U trunk/src/lib/krb5/krb/in_tkt_sky.c
D trunk/src/lib/krb5/krb/preauth.c
U trunk/src/lib/krb5/libkrb5.exports
Modified: trunk/src/include/k5-int.h
===================================================================
--- trunk/src/include/k5-int.h 2010-05-12 17:06:38 UTC (rev 24011)
+++ trunk/src/include/k5-int.h 2010-05-12 20:49:11 UTC (rev 24012)
@@ -1082,23 +1082,6 @@
krb5_preauth_process_proc process;
} krb5_preauth_ops;
-krb5_error_code
-krb5_obtain_padata(krb5_context, krb5_pa_data **,
- krb5_error_code (*)(krb5_context, const krb5_enctype,
- krb5_data *, krb5_const_pointer,
- krb5_keyblock **),
- krb5_const_pointer, krb5_creds *, krb5_kdc_req *);
-
-krb5_error_code
-krb5_process_padata(krb5_context, krb5_kdc_req *, krb5_kdc_rep *,
- krb5_error_code (*)(krb5_context, const krb5_enctype,
- krb5_data *, krb5_const_pointer,
- krb5_keyblock **),
- krb5_const_pointer,
- krb5_error_code (*)(krb5_context, const krb5_keyblock *,
- krb5_const_pointer, krb5_kdc_rep *),
- krb5_keyblock **, krb5_creds *, krb5_int32 *);
-
krb5_pa_data *
krb5int_find_pa_data(krb5_context, krb5_pa_data *const *, krb5_preauthtype);
/* Does not return a copy; original padata sequence responsible for freeing*/
Modified: trunk/src/include/krb5/krb5.hin
===================================================================
--- trunk/src/include/krb5/krb5.hin 2010-05-12 17:06:38 UTC (rev 24011)
+++ trunk/src/include/krb5/krb5.hin 2010-05-12 20:49:11 UTC (rev 24012)
@@ -1950,17 +1950,6 @@
#if KRB5_DEPRECATED
KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt(krb5_context, krb5_flags, krb5_address *const *,
- krb5_enctype *, krb5_preauthtype *,
- krb5_error_code (*)(krb5_context, krb5_enctype, krb5_data *,
- krb5_const_pointer, krb5_keyblock **),
- krb5_const_pointer,
- krb5_error_code (*)(krb5_context, const krb5_keyblock *,
- krb5_const_pointer, krb5_kdc_rep * ),
- krb5_const_pointer, krb5_creds *, krb5_ccache,
- krb5_kdc_rep **);
-
-KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV
krb5_get_in_tkt_with_password(krb5_context, krb5_flags, krb5_address *const *,
krb5_enctype *, krb5_preauthtype *, const char *,
krb5_ccache, krb5_creds *, krb5_kdc_rep **);
Modified: trunk/src/lib/krb5/krb/Makefile.in
===================================================================
--- trunk/src/lib/krb5/krb/Makefile.in 2010-05-12 17:06:38 UTC (rev 24011)
+++ trunk/src/lib/krb5/krb/Makefile.in 2010-05-12 20:49:11 UTC (rev 24012)
@@ -75,7 +75,6 @@
pac_sign.o \
parse.o \
pr_to_salt.o \
- preauth.o \
preauth2.o \
gic_opt_set_pa.o \
princ_comp.o \
@@ -174,7 +173,6 @@
$(OUTPRE)pac_sign.$(OBJEXT) \
$(OUTPRE)parse.$(OBJEXT) \
$(OUTPRE)pr_to_salt.$(OBJEXT) \
- $(OUTPRE)preauth.$(OBJEXT) \
$(OUTPRE)preauth2.$(OBJEXT) \
$(OUTPRE)gic_opt_set_pa.$(OBJEXT) \
$(OUTPRE)princ_comp.$(OBJEXT) \
@@ -274,7 +272,6 @@
$(srcdir)/pac_sign.c \
$(srcdir)/parse.c \
$(srcdir)/pr_to_salt.c \
- $(srcdir)/preauth.c \
$(srcdir)/preauth2.c \
$(srcdir)/gic_opt_set_pa.c \
$(srcdir)/princ_comp.c \
Modified: trunk/src/lib/krb5/krb/get_in_tkt.c
===================================================================
--- trunk/src/lib/krb5/krb/get_in_tkt.c 2010-05-12 17:06:38 UTC (rev 24011)
+++ trunk/src/lib/krb5/krb/get_in_tkt.c 2010-05-12 20:49:11 UTC (rev 24012)
@@ -25,7 +25,6 @@
* or implied warranty.
*
*
- * krb5_get_in_tkt()
*/
#include <string.h>
@@ -45,48 +44,8 @@
#endif
#endif /* APPLE_PKINIT */
-/*
- All-purpose initial ticket routine, usually called via
- krb5_get_in_tkt_with_password or krb5_get_in_tkt_with_skey.
-
- Attempts to get an initial ticket for creds->client to use server
- creds->server, (realm is taken from creds->client), with options
- options, and using creds->times.starttime, creds->times.endtime,
- creds->times.renew_till as from, till, and rtime.
- creds->times.renew_till is ignored unless the RENEWABLE option is requested.
-
- key_proc is called to fill in the key to be used for decryption.
- keyseed is passed on to key_proc.
-
- decrypt_proc is called to perform the decryption of the response (the
- encrypted part is in dec_rep->enc_part; the decrypted part should be
- allocated and filled into dec_rep->enc_part2
- arg is passed on to decrypt_proc.
-
- If addrs is non-NULL, it is used for the addresses requested. If it is
- null, the system standard addresses are used.
-
- A succesful call will place the ticket in the credentials cache ccache
- and fill in creds with the ticket information used/returned..
-
- returns system errors, encryption errors
-
-*/
-
-
/* some typedef's for the function args to make things look a bit cleaner */
-typedef krb5_error_code (*git_key_proc) (krb5_context,
- krb5_enctype,
- krb5_data *,
- krb5_const_pointer,
- krb5_keyblock **);
-
-typedef krb5_error_code (*git_decrypt_proc) (krb5_context,
- const krb5_keyblock *,
- krb5_const_pointer,
- krb5_kdc_rep * );
-
static krb5_error_code make_preauth_list (krb5_context,
krb5_preauthtype *,
int, krb5_pa_data ***);
@@ -112,175 +71,14 @@
return x + y;
}
-#if APPLE_PKINIT
-/*
- * Common code to generate krb5_kdc_req.nonce. Like the original MIT code this
- * just uses krb5_timeofday(); it should use a PRNG. Even more unfortunately this
- * value is used interchangeably with an explicit now_time throughout this module...
- */
static krb5_error_code
-gen_nonce(krb5_context context,
- krb5_int32 *nonce)
+decrypt_as_reply(krb5_context context, krb5_kdc_req *request,
+ krb5_kdc_rep *as_reply, krb5_keyblock *key)
{
- krb5_int32 time_now;
- krb5_error_code retval = krb5_timeofday(context, &time_now);
- if(retval) {
- return retval;
- }
- *nonce = time_now;
- return 0;
-}
-#endif /* APPLE_PKINIT */
-
-/*
- * This function sends a request to the KDC, and gets back a response;
- * the response is parsed into ret_err_reply or ret_as_reply if the
- * reponse is a KRB_ERROR or a KRB_AS_REP packet. If it is some other
- * unexpected response, an error is returned.
- */
-static krb5_error_code
-send_as_request(krb5_context context,
- krb5_data *packet, const krb5_data *realm,
- krb5_error ** ret_err_reply,
- krb5_kdc_rep ** ret_as_reply,
- int *use_master)
-{
- krb5_kdc_rep *as_reply = 0;
- krb5_error_code retval;
- krb5_data reply;
- char k4_version; /* same type as *(krb5_data::data) */
- int tcp_only = 0;
-
- reply.data = 0;
-
- /* set the nonce if the caller expects us to do it */
-
- k4_version = packet->data[0];
-send_again:
- retval = krb5_sendto_kdc(context, packet,
- realm,
- &reply, use_master, tcp_only);
-#if APPLE_PKINIT
- inTktDebug("krb5_sendto_kdc returned %d\n", (int)retval);
-#endif /* APPLE_PKINIT */
-
- if (retval)
- goto cleanup;
-
- /* now decode the reply...could be error or as_rep */
- if (krb5_is_krb_error(&reply)) {
- krb5_error *err_reply;
-
- if ((retval = decode_krb5_error(&reply, &err_reply)))
- /* some other error code--??? */
- goto cleanup;
-
- if (ret_err_reply) {
- if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG
- && tcp_only == 0) {
- tcp_only = 1;
- krb5_free_error(context, err_reply);
- free(reply.data);
- reply.data = 0;
- goto send_again;
- }
- *ret_err_reply = err_reply;
- } else
- krb5_free_error(context, err_reply);
- goto cleanup;
- }
-
- /*
- * Check to make sure it isn't a V4 reply.
- */
- if (!krb5_is_as_rep(&reply)) {
-/* these are in <kerberosIV/prot.h> as well but it isn't worth including. */
-#define V4_KRB_PROT_VERSION 4
-#define V4_AUTH_MSG_ERR_REPLY (5<<1)
- /* check here for V4 reply */
- unsigned int t_switch;
-
- /* From v4 g_in_tkt.c: This used to be
- switch (pkt_msg_type(rpkt) & ~1) {
- but SCO 3.2v4 cc compiled that incorrectly. */
- t_switch = reply.data[1];
- t_switch &= ~1;
-
- if (t_switch == V4_AUTH_MSG_ERR_REPLY
- && (reply.data[0] == V4_KRB_PROT_VERSION
- || reply.data[0] == k4_version)) {
- retval = KRB5KRB_AP_ERR_V4_REPLY;
- } else {
- retval = KRB5KRB_AP_ERR_MSG_TYPE;
- }
- goto cleanup;
- }
-
- /* It must be a KRB_AS_REP message, or an bad returned packet */
- if ((retval = decode_krb5_as_rep(&reply, &as_reply)))
- /* some other error code ??? */
- goto cleanup;
-
- if (as_reply->msg_type != KRB5_AS_REP) {
- retval = KRB5KRB_AP_ERR_MSG_TYPE;
- krb5_free_kdc_rep(context, as_reply);
- goto cleanup;
- }
-
- if (ret_as_reply)
- *ret_as_reply = as_reply;
- else
- krb5_free_kdc_rep(context, as_reply);
-
-cleanup:
- if (reply.data)
- free(reply.data);
- return retval;
-}
-
-static krb5_error_code
-decrypt_as_reply(krb5_context context,
- krb5_kdc_req *request,
- krb5_kdc_rep *as_reply,
- git_key_proc key_proc,
- krb5_const_pointer keyseed,
- krb5_keyblock * key,
- git_decrypt_proc decrypt_proc,
- krb5_const_pointer decryptarg)
-{
- krb5_error_code retval;
- krb5_keyblock * decrypt_key = 0;
- krb5_data salt;
-
if (as_reply->enc_part2)
return 0;
- if (key)
- decrypt_key = key;
- else {
- /*
- * Use salt corresponding to the client principal supplied by
- * the KDC, which may differ from the requested principal if
- * canonicalization is in effect. We will check
- * as_reply->client later in verify_as_reply.
- */
- if ((retval = krb5_principal2salt(context, as_reply->client, &salt)))
- return(retval);
-
- retval = (*key_proc)(context, as_reply->enc_part.enctype,
- &salt, keyseed, &decrypt_key);
- free(salt.data);
- if (retval)
- goto cleanup;
- }
-
- if ((retval = (*decrypt_proc)(context, decrypt_key, decryptarg, as_reply)))
- goto cleanup;
-
-cleanup:
- if (!key && decrypt_key)
- krb5_free_keyblock(context, decrypt_key);
- return (retval);
+ return krb5_kdc_rep_decrypt_proc(context, key, NULL, as_reply);
}
/**
@@ -561,65 +359,8 @@
}
#define MAX_IN_TKT_LOOPS 16
-static const krb5_enctype get_in_tkt_enctypes[] = {
- ENCTYPE_DES3_CBC_SHA1,
- ENCTYPE_ARCFOUR_HMAC,
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_DES_CBC_MD4,
- ENCTYPE_DES_CBC_CRC,
- 0
-};
static krb5_error_code
-rewrite_server_realm(krb5_context context,
- krb5_const_principal old_server,
- const krb5_data *realm,
- krb5_boolean tgs,
- krb5_principal *server)
-{
- krb5_error_code retval;
-
- assert(*server == NULL);
-
- retval = krb5_copy_principal(context, old_server, server);
- if (retval)
- return retval;
-
- krb5_free_data_contents(context, &(*server)->realm);
- (*server)->realm.data = NULL;
-
- retval = krb5int_copy_data_contents(context, realm, &(*server)->realm);
- if (retval)
- goto cleanup;
-
- if (tgs) {
- krb5_free_data_contents(context, &(*server)->data[1]);
- (*server)->data[1].data = NULL;
-
- retval = krb5int_copy_data_contents(context, realm, &(*server)->data[1]);
- if (retval)
- goto cleanup;
- }
-
-cleanup:
- if (retval) {
- krb5_free_principal(context, *server);
- *server = NULL;
- }
-
- return retval;
-}
-
-static inline int
-tgt_is_local_realm(krb5_creds *tgt)
-{
- return (tgt->server->length == 2
- && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME)
- && data_eq(tgt->server->data[1], tgt->client->realm)
- && data_eq(tgt->server->realm, tgt->client->realm));
-}
-
-static krb5_error_code
request_enc_pa_rep(krb5_pa_data ***padptr)
{
size_t size = 0;
@@ -643,271 +384,6 @@
return 0;
}
-krb5_error_code KRB5_CALLCONV
-krb5_get_in_tkt(krb5_context context,
- krb5_flags options,
- krb5_address * const * addrs,
- krb5_enctype * ktypes,
- krb5_preauthtype * ptypes,
- git_key_proc key_proc,
- krb5_const_pointer keyseed,
- git_decrypt_proc decrypt_proc,
- krb5_const_pointer decryptarg,
- krb5_creds * creds,
- krb5_ccache ccache,
- krb5_kdc_rep ** ret_as_reply)
-{
- krb5_error_code retval;
- krb5_timestamp time_now;
- krb5_keyblock * decrypt_key = 0;
- krb5_kdc_req request;
- krb5_data *encoded_request;
- krb5_error * err_reply;
- krb5_kdc_rep * as_reply = 0;
- krb5_pa_data ** preauth_to_use = 0;
- int loopcount = 0;
- krb5_int32 do_more = 0;
- int canon_flag;
- int use_master = 0;
- int referral_count = 0;
- krb5_principal_data referred_client;
- krb5_principal referred_server = NULL;
- krb5_boolean is_tgt_req;
-
-#if APPLE_PKINIT
- inTktDebug("krb5_get_in_tkt top\n");
-#endif /* APPLE_PKINIT */
-
- if (! krb5_realm_compare(context, creds->client, creds->server))
- return KRB5_IN_TKT_REALM_MISMATCH;
-
- if (ret_as_reply)
- *ret_as_reply = 0;
-
- referred_client = *(creds->client);
- referred_client.realm.data = NULL;
- referred_client.realm.length = 0;
-
- /* per referrals draft, enterprise principals imply canonicalization */
- canon_flag = ((options & KDC_OPT_CANONICALIZE) != 0) ||
- creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL;
-
- /*
- * Set up the basic request structure
- */
- request.magic = KV5M_KDC_REQ;
- request.msg_type = KRB5_AS_REQ;
- request.addresses = 0;
- request.ktype = 0;
- request.padata = 0;
- if (addrs)
- request.addresses = (krb5_address **) addrs;
- else
- if ((retval = krb5_os_localaddr(context, &request.addresses)))
- goto cleanup;
- request.kdc_options = options;
- request.client = creds->client;
- request.server = creds->server;
- request.nonce = 0;
- request.from = creds->times.starttime;
- request.till = creds->times.endtime;
- request.rtime = creds->times.renew_till;
-#if APPLE_PKINIT
- retval = gen_nonce(context, (krb5_int32 *)&time_now);
- if(retval) {
- goto cleanup;
- }
- request.nonce = time_now;
-#endif /* APPLE_PKINIT */
-
- retval = krb5int_copy_etypes(get_in_tkt_enctypes, &request.ktype);
- request.nktypes = krb5int_count_etypes(request.ktype);
- if (ktypes) {
- int i, req, next = 0;
- for (req = 0; ktypes[req]; req++) {
- if (ktypes[req] == request.ktype[next]) {
- next++;
- continue;
- }
- for (i = next + 1; i < request.nktypes; i++)
- if (ktypes[req] == request.ktype[i]) {
- /* Found the enctype we want, but not in the
- position we want. Move it, but keep the old
- one from the desired slot around in case it's
- later in our requested-ktypes list. */
- krb5_enctype t;
- t = request.ktype[next];
- request.ktype[next] = request.ktype[i];
- request.ktype[i] = t;
- next++;
- break;
- }
- /* If we didn't find it, don't do anything special, just
- drop it. */
- }
- request.ktype[next] = 0;
- request.nktypes = next;
- }
- request.authorization_data.ciphertext.length = 0;
- request.authorization_data.ciphertext.data = 0;
- request.unenc_authdata = 0;
- request.second_ticket = 0;
-
- /*
- * If a list of preauth types are passed in, convert it to a
- * preauth_to_use list.
- */
- if (ptypes) {
- retval = make_preauth_list(context, ptypes, -1, &preauth_to_use);
- if (retval)
- goto cleanup;
- }
-
- is_tgt_req = tgt_is_local_realm(creds);
-
- while (1) {
- if (loopcount++ > MAX_IN_TKT_LOOPS) {
- retval = KRB5_GET_IN_TKT_LOOP;
- goto cleanup;
- }
-
-#if APPLE_PKINIT
- inTktDebug("krb5_get_in_tkt calling krb5_obtain_padata\n");
-#endif /* APPLE_PKINIT */
- if ((retval = krb5_obtain_padata(context, preauth_to_use, key_proc,
- keyseed, creds, &request)) != 0)
- goto cleanup;
- if (preauth_to_use)
- krb5_free_pa_data(context, preauth_to_use);
- preauth_to_use = 0;
-
- err_reply = 0;
- as_reply = 0;
-
- if ((retval = krb5_timeofday(context, &time_now)))
- goto cleanup;
-
- /*
- * XXX we know they are the same size... and we should do
- * something better than just the current time
- */
- request.nonce = (krb5_int32) time_now;
-
- if ((retval = encode_krb5_as_req(&request, &encoded_request)) != 0)
- goto cleanup;
- retval = send_as_request(context, encoded_request,
- krb5_princ_realm(context, request.client), &err_reply,
- &as_reply, &use_master);
- krb5_free_data(context, encoded_request);
- if (retval != 0)
- goto cleanup;
-
- if (err_reply) {
- if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED &&
- err_reply->e_data.length > 0) {
- retval = decode_krb5_padata_sequence(&err_reply->e_data,
- &preauth_to_use);
- krb5_free_error(context, err_reply);
- if (retval)
- goto cleanup;
- retval = sort_krb5_padata_sequence(context,
- &request.server->realm,
- preauth_to_use);
- if (retval)
- goto cleanup;
- continue;
- } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) {
- if (++referral_count > KRB5_REFERRAL_MAXHOPS ||
- err_reply->client == NULL ||
- err_reply->client->realm.length == 0) {
- retval = KRB5KDC_ERR_WRONG_REALM;
- krb5_free_error(context, err_reply);
- goto cleanup;
- }
- /* Rewrite request.client with realm from error reply */
- if (referred_client.realm.data) {
- krb5_free_data_contents(context, &referred_client.realm);
- referred_client.realm.data = NULL;
- }
- retval = krb5int_copy_data_contents(context,
- &err_reply->client->realm,
- &referred_client.realm);
- krb5_free_error(context, err_reply);
- if (retval)
- goto cleanup;
- request.client = &referred_client;
-
- if (referred_server != NULL) {
- krb5_free_principal(context, referred_server);
- referred_server = NULL;
- }
-
- retval = rewrite_server_realm(context,
- creds->server,
- &referred_client.realm,
- is_tgt_req,
- &referred_server);
- if (retval)
- goto cleanup;
- request.server = referred_server;
-
- continue;
- } else {
- retval = (krb5_error_code) err_reply->error
- + ERROR_TABLE_BASE_krb5;
- krb5_free_error(context, err_reply);
- goto cleanup;
- }
- } else if (!as_reply) {
- retval = KRB5KRB_AP_ERR_MSG_TYPE;
- goto cleanup;
- }
- if ((retval = krb5_process_padata(context, &request, as_reply,
- key_proc, keyseed, decrypt_proc,
- &decrypt_key, creds,
- &do_more)) != 0)
- goto cleanup;
-
- if (!do_more)
- break;
- }
-
- if ((retval = decrypt_as_reply(context, &request, as_reply, key_proc,
- keyseed, decrypt_key, decrypt_proc,
- decryptarg)))
- goto cleanup;
-
- if ((retval = verify_as_reply(context, time_now, &request, as_reply)))
- goto cleanup;
-
- if ((retval = stash_as_reply(context, time_now, &request, as_reply,
- creds, ccache)))
- goto cleanup;
-
-cleanup:
- if (request.ktype)
- free(request.ktype);
- if (!addrs && request.addresses)
- krb5_free_addresses(context, request.addresses);
- if (request.padata)
- krb5_free_pa_data(context, request.padata);
- if (preauth_to_use)
- krb5_free_pa_data(context, preauth_to_use);
- if (decrypt_key)
- krb5_free_keyblock(context, decrypt_key);
- if (as_reply) {
- if (ret_as_reply)
- *ret_as_reply = as_reply;
- else
- krb5_free_kdc_rep(context, as_reply);
- }
- if (referred_client.realm.data)
- krb5_free_data_contents(context, &referred_client.realm);
- if (referred_server)
- krb5_free_principal(context, referred_server);
- return (retval);
-}
-
/* Sort a pa_data sequence so that types named in the "preferred_preauth_types"
* libdefaults entry are listed before any others. */
static krb5_error_code
@@ -1904,9 +1380,7 @@
&encrypting_key);
if (code != 0)
goto cleanup;
- code = decrypt_as_reply(context, NULL, ctx->reply, NULL, NULL,
- &encrypting_key, krb5_kdc_rep_decrypt_proc,
- NULL);
+ code = decrypt_as_reply(context, NULL, ctx->reply, &encrypting_key);
} else
code = -1;
@@ -1925,9 +1399,7 @@
if (code != 0)
goto cleanup;
- code = decrypt_as_reply(context, NULL, ctx->reply, NULL, NULL,
- &encrypting_key, krb5_kdc_rep_decrypt_proc,
- NULL);
+ code = decrypt_as_reply(context, NULL, ctx->reply, &encrypting_key);
if (code != 0)
goto cleanup;
}
Modified: trunk/src/lib/krb5/krb/in_tkt_sky.c
===================================================================
--- trunk/src/lib/krb5/krb/in_tkt_sky.c 2010-05-12 17:06:38 UTC (rev 24011)
+++ trunk/src/lib/krb5/krb/in_tkt_sky.c 2010-05-12 20:49:11 UTC (rev 24012)
@@ -31,39 +31,21 @@
#include "k5-int.h"
-struct skey_keyproc_arg {
- const krb5_keyblock *key;
- krb5_principal client; /* it's a pointer, really! */
-};
-
-/*
- * Key-generator for in_tkt_skey, below.
- * "keyseed" is actually a krb5_keyblock *, or NULL if we should fetch
- * from system area.
- */
+/* A krb5_gic_get_as_key_fct shim for copying a caller-provided keyblock into
+ * the AS keyblock. */
static krb5_error_code
-skey_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt,
- krb5_const_pointer keyseed, krb5_keyblock **key)
+get_as_key_skey(krb5_context context, krb5_principal client,
+ krb5_enctype etype, krb5_prompter_fct prompter,
+ void *prompter_data, krb5_data *salt, krb5_data *params,
+ krb5_keyblock *as_key, void *gak_data)
{
- krb5_keyblock *realkey;
- krb5_error_code retval;
- const krb5_keyblock * keyblock;
+ const krb5_keyblock *key = gak_data;
- keyblock = (const krb5_keyblock *)keyseed;
-
- if (!krb5_c_valid_enctype(type))
- return KRB5_PROG_ETYPE_NOSUPP;
-
- if ((retval = krb5_copy_keyblock(context, keyblock, &realkey)))
- return retval;
-
- if (realkey->enctype != type) {
- krb5_free_keyblock(context, realkey);
- return KRB5_PROG_ETYPE_NOSUPP;
- }
-
- *key = realkey;
- return 0;
+ if (!krb5_c_valid_enctype(etype))
+ return(KRB5_PROG_ETYPE_NOSUPP);
+ if (as_key->length)
+ krb5_free_keyblock_contents(context, as_key);
+ return krb5int_c_copy_keyblock_contents(context, key, as_key);
}
/*
@@ -94,15 +76,45 @@
const krb5_keyblock *key, krb5_ccache ccache,
krb5_creds *creds, krb5_kdc_rep **ret_as_reply)
{
- if (key)
- return krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types,
- skey_keyproc, (krb5_const_pointer)key,
- krb5_kdc_rep_decrypt_proc, 0, creds,
- ccache, ret_as_reply);
+ krb5_error_code retval;
+ char *server;
+ krb5_principal server_princ, client_princ;
+ int use_master = 0;
+ krb5_get_init_creds_opt *opts = NULL;
+
#ifndef LEAN_CLIENT
- else
+ if (key == NULL) {
return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes,
pre_auth_types, NULL, ccache,
creds, ret_as_reply);
+ }
#endif /* LEAN_CLIENT */
+
+ retval = krb5int_populate_gic_opt(context, &opts, options, addrs, ktypes,
+ pre_auth_types, creds);
+ if (retval)
+ return retval;
+ retval = krb5_unparse_name(context, creds->server, &server);
+ if (retval) {
+ krb5_get_init_creds_opt_free(context, opts);
+ return retval;
+ }
+ server_princ = creds->server;
+ client_princ = creds->client;
+ retval = krb5int_get_init_creds(context, creds, creds->client,
+ krb5_prompter_posix, NULL, 0, server, opts,
+ get_as_key_skey, (void *) key, &use_master,
+ ret_as_reply);
+ krb5_free_unparsed_name(context, server);
+ krb5_get_init_creds_opt_free(context, opts);
+ if (retval)
+ return retval;
+ krb5_free_principal( context, creds->server);
+ krb5_free_principal( context, creds->client);
+ creds->client = client_princ;
+ creds->server = server_princ;
+ /* store it in the ccache! */
+ if (ccache)
+ retval = krb5_cc_store_cred(context, ccache, creds);
+ return retval;
}
Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports 2010-05-12 17:06:38 UTC (rev 24011)
+++ trunk/src/lib/krb5/libkrb5.exports 2010-05-12 20:49:11 UTC (rev 24012)
@@ -331,7 +331,6 @@
krb5_get_error_message
krb5_get_fallback_host_realm
krb5_get_host_realm
-krb5_get_in_tkt
krb5_get_in_tkt_with_keytab
krb5_get_in_tkt_with_password
krb5_get_in_tkt_with_skey
@@ -428,7 +427,6 @@
krb5_mk_safe
krb5_net_read
krb5_net_write
-krb5_obtain_padata
krb5_os_free_context
krb5_os_hostaddr
krb5_os_init_context
@@ -448,7 +446,6 @@
krb5_principal_compare
krb5_principal_compare_any_realm
krb5_principal_compare_flags
-krb5_process_padata
krb5_prompter_posix
krb5_rc_close
krb5_rc_default
More information about the cvs-krb5
mailing list