krb5 commit: Avoid deprecated krb5_get_in_tkt_with_keytab

Benjamin Kaduk kaduk at MIT.EDU
Mon Nov 4 14:22:23 EST 2013


https://github.com/krb5/krb5/commit/29dee7d2cece615bec4616fa9b727e77210051db
commit 29dee7d2cece615bec4616fa9b727e77210051db
Author: Ben Kaduk <kaduk at mit.edu>
Date:   Tue Jul 10 10:14:52 2012 -0400

    Avoid deprecated krb5_get_in_tkt_with_keytab
    
    The kprop code has been pretty unloved, and uses some routines that
    are marked as deprecated (which show up as warnings in the build log).
    Use the documented replacement for krb5_get_in_tkt_with_keytab,
    krb5_get_init_creds_keytab, instead.  As a bonus, there is no longer
    a side effect of a credentials cache that needs to be destroyed.
    
    The also-deprecated function krb5_get_in_tkt_with_skey was backending
    to it when no keyblock was passed in; we can unroll the call to
    krb5_get_init_creds_keytab ourselves as the documented workaround.
    While here, improve style compliance with regards to cleanup.
    
    The setkey test just wants to know whether it can use the key it
    just put into a keytab to get credentials; as such the recommended
    krb5_get_init_creds_keytab is quite sufficient.
    While here, use that interface to request the particular enctype
    as well, reducing the scope of an XXX comment.
    
    ticket: 6366

 src/lib/kadm5/unit-test/setkey-test.c |   22 +++++++++++--------
 src/lib/krb5/krb/in_tkt_sky.c         |   36 ++++++++++++++++++--------------
 src/slave/kprop.c                     |   34 +++++++++++-------------------
 3 files changed, 46 insertions(+), 46 deletions(-)

diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c
index c1b9c5d..4da236e 100644
--- a/src/lib/kadm5/unit-test/setkey-test.c
+++ b/src/lib/kadm5/unit-test/setkey-test.c
@@ -63,6 +63,7 @@ main(int argc, char **argv)
     krb5_keytab_entry ktent;
     krb5_encrypt_block eblock;
     krb5_creds my_creds;
+    krb5_get_init_creds_opt *opt;
     kadm5_principal_ent_rec princ_ent;
     krb5_principal princ, server;
     char pw[16];
@@ -138,8 +139,8 @@ main(int argc, char **argv)
      * For each enctype in the test, construct a random password/key.
      * Assign all keys to principal with kadm5_setkey_principal.  Add
      * each key to the keytab, and acquire an initial ticket with the
-     * keytab (XXX can I specify the enctype & kvno explicitly?).  If
-     * krb5_get_in_tkt_with_keytab succeeds, then the keys were set
+     * keytab (XXX can I specify the kvno explicitly?).  If
+     * krb5_get_init_creds_keytab succeeds, then the keys were set
      * successfully.
      */
     for (test = 0; tests[test] != NULL; test++) {
@@ -191,13 +192,16 @@ main(int argc, char **argv)
             my_creds.server = server;
 
             ktypes[0] = testp[encnum].enctype;
-            ret = krb5_get_in_tkt_with_keytab(context,
-                                              0 /* options */,
-                                              NULL /* addrs */,
-                                              ktypes,
-                                              NULL /* preauth */,
-                                              kt, 0,
-                                              &my_creds, 0);
+            ret = krb5_get_init_creds_opt_allocate(context, &opt);
+            if (ret) {
+                com_err(whoami, ret, "while allocating gic opts");
+                exit(1);
+            }
+            krb5_get_init_creds_opt_set_etype_list(opt, ktypes, 1);
+            ret = krb5_get_init_creds_keytab(context, &my_creds, princ,
+                                             kt, 0, NULL /* in_tkt_service */,
+                                             opt);
+            krb5_get_init_creds_opt_free(context, opt);
             if (ret) {
                 com_err(whoami, ret, "while acquiring initial ticket");
                 exit(1);
diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c
index b11e694..7a89226 100644
--- a/src/lib/krb5/krb/in_tkt_sky.c
+++ b/src/lib/krb5/krb/in_tkt_sky.c
@@ -78,23 +78,29 @@ krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
     int use_master = 0;
     krb5_get_init_creds_opt *opts = NULL;
 
+    retval = k5_populate_gic_opt(context, &opts, options, addrs, ktypes,
+                                 pre_auth_types, creds);
+    if (retval)
+        return retval;
+
+    retval = krb5_get_init_creds_opt_set_out_ccache(context, opts, ccache);
+    if (retval)
+        goto cleanup;
+
 #ifndef LEAN_CLIENT
     if (key == NULL) {
-        return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes,
-                                           pre_auth_types, NULL, ccache,
-                                           creds, ret_as_reply);
+        retval = krb5_get_init_creds_keytab(context, creds, creds->client,
+                                            NULL /* keytab */,
+                                            creds->times.starttime,
+                                            NULL /* in_tkt_service */,
+                                            opts);
+        goto cleanup;
     }
 #endif /* LEAN_CLIENT */
 
-    retval = k5_populate_gic_opt(context, &opts, options, addrs, ktypes,
-                                 pre_auth_types, creds);
-    if (retval)
-        return retval;
     retval = krb5_unparse_name(context, creds->server, &server);
-    if (retval) {
-        krb5_get_init_creds_opt_free(context, opts);
-        return retval;
-    }
+    if (retval)
+        goto cleanup;
     server_princ = creds->server;
     client_princ = creds->client;
     retval = k5_get_init_creds(context, creds, creds->client,
@@ -102,15 +108,13 @@ krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options,
                                get_as_key_skey, (void *)key, &use_master,
                                ret_as_reply);
     krb5_free_unparsed_name(context, server);
-    krb5_get_init_creds_opt_free(context, opts);
     if (retval)
-        return retval;
+        goto cleanup;
     krb5_free_principal( context, creds->server);
     krb5_free_principal( context, creds->client);
     creds->client = client_princ;
     creds->server = server_princ;
-    /* store it in the ccache! */
-    if (ccache)
-        retval = krb5_cc_store_cred(context, ccache, creds);
+cleanup:
+    krb5_get_init_creds_opt_free(context, opts);
     return retval;
 }
diff --git a/src/slave/kprop.c b/src/slave/kprop.c
index b668147..f1fcc21 100644
--- a/src/slave/kprop.c
+++ b/src/slave/kprop.c
@@ -188,9 +188,10 @@ void get_tickets(context)
     krb5_context context;
 {
     char const ccname[] = "MEMORY:kpropcc";
-    char *def_realm;
+    char *def_realm, *server;
     krb5_error_code retval;
     krb5_keytab keytab = NULL;
+    krb5_principal server_princ = NULL;
 
     /*
      * Figure out what tickets we'll be using to send stuff
@@ -253,19 +254,17 @@ void get_tickets(context)
     memset(&creds, 0, sizeof(creds));
     retval = krb5_sname_to_principal(context,
                                      slave_host, KPROP_SERVICE_NAME,
-                                     KRB5_NT_SRV_HST, &creds.server);
+                                     KRB5_NT_SRV_HST, &server_princ);
     if (retval) {
         com_err(progname, errno, _("while setting server principal name"));
         (void) krb5_cc_destroy(context, ccache);
         exit(1);
     }
-    if (realm) {
-        retval = krb5_set_principal_realm(context, creds.server, realm);
-        if (retval) {
-            com_err(progname, errno,
-                    _("while setting server principal realm"));
-            exit(1);
-        }
+    retval = krb5_unparse_name_flags(context, server_princ,
+                                     KRB5_PRINCIPAL_UNPARSE_NO_REALM, &server);
+    if (retval) {
+        com_err(progname, retval, _("while unparsing server name"));
+        exit(1);
     }
 
     /*
@@ -286,10 +285,10 @@ void get_tickets(context)
         }
     }
 
-    retval = krb5_get_in_tkt_with_keytab(context, 0, 0, NULL,
-                                         NULL, keytab, ccache, &creds, 0);
+    retval = krb5_get_init_creds_keytab(context, &creds, my_principal,
+                                        keytab, 0, server, NULL);
     if (retval) {
-        com_err(progname, retval, _("while getting initial ticket\n"));
+        com_err(progname, retval, _("while getting initial credentials\n"));
         (void) krb5_cc_destroy(context, ccache);
         exit(1);
     }
@@ -297,15 +296,8 @@ void get_tickets(context)
     if (keytab)
         (void) krb5_kt_close(context, keytab);
 
-    /*
-     * Now destroy the cache right away --- the credentials we
-     * need will be in my_creds.
-     */
-    retval = krb5_cc_destroy(context, ccache);
-    if (retval) {
-        com_err(progname, retval, _("while destroying ticket cache"));
-        exit(1);
-    }
+    krb5_free_unparsed_name(context, server);
+    krb5_free_principal(context, server_princ);
 }
 
 static void


More information about the cvs-krb5 mailing list