krb5 commit: Remove unused code from cc_mslsa.c
Benjamin Kaduk
kaduk at mit.edu
Tue Sep 9 17:37:09 EDT 2014
https://github.com/krb5/krb5/commit/07aaaee56bf40bfef2847b6f09897ce1aa96773d
commit 07aaaee56bf40bfef2847b6f09897ce1aa96773d
Author: Ben Kaduk <kaduk at mit.edu>
Date: Wed Aug 13 16:28:57 2014 -0400
Remove unused code from cc_mslsa.c
Remove PreserveInitialTicketIdentity() and IsKerberosLogon(), as well
as the preprocessor conditionals ENABLE_PURGING and PURGE_ALL, which
have not been used in a very long time, if ever.
There was one potential callsite of IsKerberosLogon(), in
lcc_resolve(), which was disabled. It is perfectly reasonable to want
to use the MSLSA cache on a non-domain-joined workstation, as it is
now a read-write cache type, so we need not concern ourselves whether
the logon was performed or may have been performed using kerberos.
ticket: 7989
src/lib/krb5/ccache/cc_mslsa.c | 108 ----------------------------------------
1 files changed, 0 insertions(+), 108 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 0fe564c..cb4fdc1 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -317,48 +317,6 @@ MSTicketToMITTicket(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_d
return TRUE;
}
-/*
- * PreserveInitialTicketIdentity()
- *
- * This will find the "PreserveInitialTicketIdentity" key in the registry.
- * Returns 1 to preserve and 0 to not.
- */
-
-static DWORD
-PreserveInitialTicketIdentity(void)
-{
- HKEY hKey;
- DWORD size = sizeof(DWORD);
- DWORD type = REG_DWORD;
- const char *key_path = "Software\\MIT\\Kerberos5";
- const char *value_name = "PreserveInitialTicketIdentity";
- DWORD retval = 1; /* default to Preserve */
-
- if (RegOpenKeyExA(HKEY_CURRENT_USER, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
- goto syskey;
- if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS)
- {
- RegCloseKey(hKey);
- goto syskey;
- }
- RegCloseKey(hKey);
- goto done;
-
-syskey:
- if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
- goto done;
- if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS)
- {
- RegCloseKey(hKey);
- goto done;
- }
- RegCloseKey(hKey);
-
-done:
- return retval;
-}
-
-
static BOOL
MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING ClientRealm,
krb5_context context, krb5_creds *creds)
@@ -598,43 +556,6 @@ GetSecurityLogonSessionData(PSECURITY_LOGON_SESSION_DATA * ppSessionData)
return TRUE;
}
-//
-// IsKerberosLogon() does not validate whether or not there are valid tickets in the
-// cache. It validates whether or not it is reasonable to assume that if we
-// attempted to retrieve valid tickets we could do so. Microsoft does not
-// automatically renew expired tickets. Therefore, the cache could contain
-// expired or invalid tickets. Microsoft also caches the user's password
-// and will use it to retrieve new TGTs if the cache is empty and tickets
-// are requested.
-
-static BOOL
-IsKerberosLogon(VOID)
-{
- PSECURITY_LOGON_SESSION_DATA pSessionData = NULL;
- BOOL Success = FALSE;
-
- if ( GetSecurityLogonSessionData(&pSessionData) ) {
- if ( pSessionData->AuthenticationPackage.Buffer ) {
- WCHAR buffer[256];
- WCHAR *usBuffer;
- int usLength;
-
- Success = FALSE;
- usBuffer = (pSessionData->AuthenticationPackage).Buffer;
- usLength = (pSessionData->AuthenticationPackage).Length;
- if (usLength < 256)
- {
- lstrcpynW (buffer, usBuffer, usLength);
- lstrcatW (buffer,L"");
- if ( !lstrcmpW(L"Kerberos",buffer) )
- Success = TRUE;
- }
- }
- LsaFreeReturnBuffer(pSessionData);
- }
- return Success;
-}
-
static DWORD
ConstructTicketRequest(UNICODE_STRING DomainName, PKERB_RETRIEVE_TKT_REQUEST * outRequest, ULONG * outSize)
{
@@ -957,7 +878,6 @@ krb5_is_permitted_tgs_enctype(krb5_context context, krb5_const_principal princ,
return(ret);
}
-#define ENABLE_PURGING 1
// to allow the purging of expired tickets from LSA cache. This is necessary
// to force the retrieval of new TGTs. Microsoft does not appear to retrieve
// new tickets when they expire. Instead they continue to accept the expired
@@ -989,9 +909,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA
PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
ULONG RequestSize;
ULONG ResponseSize;
-#ifdef ENABLE_PURGING
int purge_cache = 0;
-#endif /* ENABLE_PURGING */
int ignore_cache = 0;
krb5_enctype *etype_list = NULL, *ptr = NULL, etype = 0;
@@ -1085,9 +1003,6 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA
* a credential we can use.
*/
-#ifdef PURGE_ALL
- purge_cache = 1;
-#else
/* Check Supported Enctypes */
if ( !enforce_tgs_enctypes ||
IsMSSessionKeyNull(&pTicketResponse->Ticket.SessionKey) ||
@@ -1108,11 +1023,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA
MinLife.dwHighDateTime = (DWORD)((temp >> 32) & 0xFFFFFFFF);
MinLife.dwLowDateTime = (DWORD)(temp & 0xFFFFFFFF);
if (CompareFileTime(&MinLife, &LocalEndTime) >= 0) {
-#ifdef ENABLE_PURGING
purge_cache = 1;
-#else
- ignore_cache = 1;
-#endif /* ENABLE_PURGING */
}
if (pTicketResponse->Ticket.TicketFlags & KERB_TICKET_FLAGS_invalid) {
ignore_cache = 1; // invalid, need to attempt a TGT request
@@ -1122,7 +1033,6 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA
// not supported
ignore_cache = 1;
}
-#endif /* PURGE_ALL */
Error = ConstructTicketRequest(pTicketResponse->Ticket.TargetDomainName,
&pTicketRequest, &RequestSize);
@@ -1140,7 +1050,6 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA
pTicketResponse = NULL;
}
-#ifdef ENABLE_PURGING
if ( purge_cache ) {
//
// Purge the existing tickets which we cannot use so new ones can
@@ -1149,7 +1058,6 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA
//
PurgeAllTickets(LogonHandle, PackageId);
}
-#endif /* ENABLE_PURGING */
}
//
@@ -1160,12 +1068,8 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA
pTicketRequest->LogonId.LowPart = 0;
pTicketRequest->LogonId.HighPart = 0;
// Note: pTicketRequest->TargetName set up above
-#ifdef ENABLE_PURGING
pTicketRequest->CacheOptions = ((ignore_cache || !purge_cache) ?
KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L);
-#else
- pTicketRequest->CacheOptions = (ignore_cache ? KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L);
-#endif /* ENABLE_PURGING */
pTicketRequest->TicketFlags = 0L;
pTicketRequest->EncryptionType = 0L;
@@ -1623,18 +1527,6 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual)
KERB_EXTERNAL_TICKET *msticket;
krb5_error_code retval = KRB5_OK;
-#ifdef COMMENT
- /* In at least one case on Win2003 it appears that it is possible
- * for the logon session to be authenticated via NTLM and yet for
- * there to be Kerberos credentials obtained by the LSA on behalf
- * of the logged in user. Therefore, we are removing this test
- * which was meant to avoid the need to perform GetMSTGT() when
- * there was no possibility of credentials being found.
- */
- if (!IsKerberosLogon())
- return KRB5_FCC_NOFILE;
-#endif
-
if (!PackageConnectLookup(&LogonHandle, &PackageId))
return KRB5_FCC_NOFILE;
More information about the cvs-krb5
mailing list