krb5 commit: Simplify TGS request construction
Greg Hudson
ghudson at MIT.EDU
Sat Feb 9 18:44:46 EST 2013
https://github.com/krb5/krb5/commit/92e2bac0f38f7f60a8fc74b5964357212c4289e1
commit 92e2bac0f38f7f60a8fc74b5964357212c4289e1
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Feb 8 01:59:19 2013 -0500
Simplify TGS request construction
Move krb5int_make_tgs_request from gc_via_tkt.c into send_tgs.c,
combine it with krb5int_make_tgs_request_ext (which nothing else
called), and rename the combined function to k5_make_tgs_req. Also
use a typedef for the pacb callback.
src/lib/krb5/krb/gc_via_tkt.c | 81 +++--------------------------------------
src/lib/krb5/krb/get_creds.c | 10 ++---
src/lib/krb5/krb/int-proto.h | 66 ++++++++-------------------------
src/lib/krb5/krb/send_tgs.c | 74 +++++++++++++++++--------------------
4 files changed, 60 insertions(+), 171 deletions(-)
diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index b6b8232..4c7268a 100644
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -167,67 +167,6 @@ krb5_get_cred_via_tkt(krb5_context context, krb5_creds *tkt,
}
krb5_error_code
-krb5int_make_tgs_request(krb5_context context,
- struct krb5int_fast_request_state *fast_state,
- krb5_creds *tkt,
- krb5_flags kdcoptions,
- krb5_address *const *address,
- krb5_pa_data **in_padata,
- krb5_creds *in_cred,
- krb5_error_code (*pacb_fct)(krb5_context,
- krb5_keyblock *,
- krb5_kdc_req *,
- void *),
- void *pacb_data,
- krb5_data *request_data,
- krb5_timestamp *timestamp,
- krb5_int32 *nonce,
- krb5_keyblock **subkey)
-{
- krb5_error_code retval;
- krb5_enctype *enctypes = NULL;
- krb5_boolean second_tkt;
-
- request_data->data = NULL;
- *timestamp = 0;
- *subkey = NULL;
-
- /* tkt->client must be equal to in_cred->client */
- if (!krb5_principal_compare(context, tkt->client, in_cred->client))
- return KRB5_PRINC_NOMATCH;
-
- if (!tkt->ticket.length)
- return KRB5_NO_TKT_SUPPLIED;
-
- second_tkt = ((kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY |
- KDC_OPT_CNAME_IN_ADDL_TKT)) != 0);
- if (second_tkt && !in_cred->second_ticket.length)
- return KRB5_NO_2ND_TKT;
-
- if (in_cred->keyblock.enctype) {
- enctypes = (krb5_enctype *)malloc(sizeof(krb5_enctype)*2);
- if (enctypes == NULL)
- return ENOMEM;
- enctypes[0] = in_cred->keyblock.enctype;
- enctypes[1] = 0;
- }
-
- retval = krb5int_make_tgs_request_ext(context, fast_state, kdcoptions,
- &in_cred->times,
- enctypes, in_cred->server, address,
- in_cred->authdata, in_padata,
- second_tkt ?
- &in_cred->second_ticket : 0,
- tkt, pacb_fct, pacb_data,
- request_data,
- timestamp, nonce, subkey);
- if (enctypes != NULL)
- free(enctypes);
-
- return retval;
-}
-
-krb5_error_code
krb5int_process_tgs_reply(krb5_context context,
struct krb5int_fast_request_state *fast_state,
krb5_data *response_data,
@@ -400,17 +339,11 @@ cleanup:
krb5_error_code
krb5_get_cred_via_tkt_ext(krb5_context context, krb5_creds *tkt,
krb5_flags kdcoptions, krb5_address *const *address,
- krb5_pa_data **in_padata,
- krb5_creds *in_cred,
- krb5_error_code (*pacb_fct)(krb5_context,
- krb5_keyblock *,
- krb5_kdc_req *,
- void *),
- void *pacb_data,
+ krb5_pa_data **in_padata, krb5_creds *in_cred,
+ k5_pacb_fn pacb_fn, void *pacb_data,
krb5_pa_data ***out_padata,
krb5_pa_data ***out_enc_padata,
- krb5_creds **out_cred,
- krb5_keyblock **out_subkey)
+ krb5_creds **out_cred, krb5_keyblock **out_subkey)
{
krb5_error_code retval;
krb5_data request_data;
@@ -433,11 +366,9 @@ krb5_get_cred_via_tkt_ext(krb5_context context, krb5_creds *tkt,
TRACE_GET_CRED_VIA_TKT_EXT(context, in_cred->server, tkt->server,
kdcoptions);
- retval = krb5int_make_tgs_request(context, fast_state, tkt, kdcoptions,
- address, in_padata, in_cred,
- pacb_fct, pacb_data,
- &request_data, ×tamp, &nonce,
- &subkey);
+ retval = k5_make_tgs_req(context, fast_state, tkt, kdcoptions, address,
+ in_padata, in_cred, pacb_fn, pacb_data,
+ &request_data, ×tamp, &nonce, &subkey);
if (retval != 0)
goto cleanup;
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 21cb22d..9e28f48 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -277,12 +277,10 @@ make_request(krb5_context context, krb5_tkt_creds_context ctx,
krb5_free_keyblock(context, ctx->subkey);
ctx->subkey = NULL;
- code = krb5int_make_tgs_request(context, ctx->fast_state,
- ctx->cur_tgt, ctx->kdcopt,
- ctx->cur_tgt->addresses, NULL,
- ctx->tgs_in_creds, NULL, NULL, &request,
- &ctx->timestamp, &ctx->nonce,
- &ctx->subkey);
+ code = k5_make_tgs_req(context, ctx->fast_state, ctx->cur_tgt, ctx->kdcopt,
+ ctx->cur_tgt->addresses, NULL, ctx->tgs_in_creds,
+ NULL, NULL, &request, &ctx->timestamp, &ctx->nonce,
+ &ctx->subkey);
if (code != 0)
return code;
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index 4ebae56..6d7939e 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -82,60 +82,26 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
(krb5_princ_size((c), (p)) == 2 && \
data_eq_string(*krb5_princ_component((c), (p), 0), KRB5_TGS_NAME))
-krb5_error_code
-krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt,
- krb5_flags kdcoptions, krb5_address *const *address,
- krb5_pa_data **in_padata,
- krb5_creds *in_cred,
- krb5_error_code (*gcvt_fct)(krb5_context,
- krb5_keyblock *,
- krb5_kdc_req *,
- void *),
- void *gcvt_data,
- krb5_pa_data ***out_padata,
- krb5_pa_data ***enc_padata,
- krb5_creds **out_cred,
- krb5_keyblock **out_subkey);
+typedef krb5_error_code
+(*k5_pacb_fn)(krb5_context context, krb5_keyblock *subkey, krb5_kdc_req *req,
+ void *arg);
krb5_error_code
-krb5int_make_tgs_request_ext(krb5_context context,
- struct krb5int_fast_request_state *,
- krb5_flags kdcoptions,
- const krb5_ticket_times *timestruct,
- const krb5_enctype *ktypes,
- krb5_const_principal sname,
- krb5_address *const *addrs,
- krb5_authdata *const *authorization_data,
- krb5_pa_data *const *padata,
- const krb5_data *second_ticket,
- krb5_creds *in_cred,
- krb5_error_code (*pacb_fct)(krb5_context,
- krb5_keyblock *,
- krb5_kdc_req *,
- void *),
- void *pacb_data,
- krb5_data *request_data,
- krb5_timestamp *timestamp,
- krb5_int32 *nonce,
- krb5_keyblock **subkey);
+krb5_get_cred_via_tkt_ext(krb5_context context, krb5_creds *tkt,
+ krb5_flags kdcoptions, krb5_address *const *address,
+ krb5_pa_data **in_padata, krb5_creds *in_cred,
+ k5_pacb_fn pacb_fn, void *pacb_data,
+ krb5_pa_data ***out_padata,
+ krb5_pa_data ***enc_padata, krb5_creds **out_cred,
+ krb5_keyblock **out_subkey);
krb5_error_code
-krb5int_make_tgs_request(krb5_context context,
- struct krb5int_fast_request_state *,
- krb5_creds *tkt,
- krb5_flags kdcoptions,
- krb5_address *const *address,
- krb5_pa_data **in_padata,
- krb5_creds *in_cred,
- krb5_error_code (*pacb_fct)(krb5_context,
- krb5_keyblock *,
- krb5_kdc_req *,
- void *),
- void *pacb_data,
- krb5_data *request_data,
- krb5_timestamp *timestamp,
- krb5_int32 *nonce,
- krb5_keyblock **subkey);
+k5_make_tgs_req(krb5_context context, struct krb5int_fast_request_state *,
+ krb5_creds *tkt, krb5_flags kdcoptions,
+ krb5_address *const *address, krb5_pa_data **in_padata,
+ krb5_creds *in_cred, k5_pacb_fn pacb_fn, void *pacb_data,
+ krb5_data *req_asn1_out, krb5_timestamp *timestamp_out,
+ krb5_int32 *nonce_out, krb5_keyblock **subkey_out);
krb5_error_code
krb5int_process_tgs_reply(krb5_context context,
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
index 89ac529..f4187dc 100644
--- a/src/lib/krb5/krb/send_tgs.c
+++ b/src/lib/krb5/krb/send_tgs.c
@@ -114,26 +114,13 @@ cleanup:
* to amend the request padata after the nonce and subkey are determined.
*/
krb5_error_code
-krb5int_make_tgs_request_ext(krb5_context context,
- struct krb5int_fast_request_state *fast_state,
- krb5_flags kdcoptions,
- const krb5_ticket_times *timestruct,
- const krb5_enctype *ktypes,
- krb5_const_principal sname,
- krb5_address *const *addrs,
- krb5_authdata *const *authorization_data,
- krb5_pa_data *const *in_padata,
- const krb5_data *second_ticket,
- krb5_creds *tgt,
- krb5_error_code (*pacb_fn)(krb5_context,
- krb5_keyblock *,
- krb5_kdc_req *,
- void *),
- void *pacb_data,
- krb5_data *req_asn1_out,
- krb5_timestamp *timestamp_out,
- krb5_int32 *nonce_out,
- krb5_keyblock **subkey_out)
+k5_make_tgs_req(krb5_context context,
+ struct krb5int_fast_request_state *fast_state,
+ krb5_creds *tgt, krb5_flags kdcoptions,
+ krb5_address *const *addrs, krb5_pa_data **in_padata,
+ krb5_creds *desired, k5_pacb_fn pacb_fn, void *pacb_data,
+ krb5_data *req_asn1_out, krb5_timestamp *timestamp_out,
+ krb5_int32 *nonce_out, krb5_keyblock **subkey_out)
{
krb5_error_code ret;
krb5_kdc_req req;
@@ -145,7 +132,7 @@ krb5int_make_tgs_request_ext(krb5_context context,
krb5_pa_data **padata = NULL, *pa;
krb5_keyblock *subkey = NULL;
krb5_enc_data authdata_enc;
- krb5_enctype *defenctypes = NULL;
+ krb5_enctype enctypes[2], *defenctypes = NULL;
size_t count, i;
*req_asn1_out = empty_data();
@@ -155,16 +142,20 @@ krb5int_make_tgs_request_ext(krb5_context context,
memset(&req, 0, sizeof(req));
memset(&authdata_enc, 0, sizeof(authdata_enc));
+ /* tgt's client principal must match the desired client principal. */
+ if (!krb5_principal_compare(context, tgt->client, desired->client))
+ return KRB5_PRINC_NOMATCH;
+
/* tgt must be an actual credential, not a template. */
if (!tgt->ticket.length)
return KRB5_NO_TKT_SUPPLIED;
req.kdc_options = kdcoptions;
- req.server = (krb5_principal)sname;
- req.from = timestruct->starttime;
- req.till = timestruct->endtime ? timestruct->endtime : tgt->times.endtime;
- req.authorization_data.ciphertext.data = NULL;
- req.rtime = timestruct->renew_till;
+ req.server = desired->server;
+ req.from = desired->times.starttime;
+ req.till = desired->times.endtime ? desired->times.endtime :
+ tgt->times.endtime;
+ req.rtime = desired->times.renew_till;
ret = krb5_timeofday(context, &time_now);
if (ret)
return ret;
@@ -184,8 +175,8 @@ krb5int_make_tgs_request_ext(krb5_context context,
if (ret)
goto cleanup;
- if (authorization_data != NULL) {
- ret = encode_krb5_authdata(authorization_data, &authdata_asn1);
+ if (desired->authdata != NULL) {
+ ret = encode_krb5_authdata(desired->authdata, &authdata_asn1);
if (ret)
goto cleanup;
ret = krb5_encrypt_helper(context, subkey,
@@ -196,27 +187,30 @@ krb5int_make_tgs_request_ext(krb5_context context,
req.authorization_data = authdata_enc;
}
- /* Get the encryption types list. */
- if (ktypes != NULL) {
- /* Check passed enctypes and make sure they're valid. */
- for (req.nktypes = 0; ktypes[req.nktypes]; req.nktypes++) {
- if (!krb5_c_valid_enctype(ktypes[req.nktypes])) {
- ret = KRB5_PROG_ETYPE_NOSUPP;
- goto cleanup;
- }
+ if (desired->keyblock.enctype != ENCTYPE_NULL) {
+ if (!krb5_c_valid_enctype(desired->keyblock.enctype)) {
+ ret = KRB5_PROG_ETYPE_NOSUPP;
+ goto cleanup;
}
- req.ktype = (krb5_enctype *)ktypes;
+ enctypes[0] = desired->keyblock.enctype;
+ enctypes[1] = ENCTYPE_NULL;
+ req.ktype = enctypes;
+ req.nktypes = 1;
} else {
/* Get the default TGS enctypes. */
- krb5_get_tgs_ktypes(context, sname, &defenctypes);
+ krb5_get_tgs_ktypes(context, desired->server, &defenctypes);
for (count = 0; defenctypes[count]; count++);
req.ktype = defenctypes;
req.nktypes = count;
}
TRACE_SEND_TGS_ETYPES(context, req.ktype);
- if (second_ticket != NULL) {
- ret = decode_krb5_ticket(second_ticket, &sec_ticket);
+ if (kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) {
+ if (desired->second_ticket.length == 0) {
+ ret = KRB5_NO_2ND_TKT;
+ goto cleanup;
+ }
+ ret = decode_krb5_ticket(&desired->second_ticket, &sec_ticket);
if (ret)
goto cleanup;
sec_ticket_arr[0] = sec_ticket;
More information about the cvs-krb5
mailing list