krb5 commit: Rename krbtgt variable in KDC code
Greg Hudson
ghudson at mit.edu
Mon Jun 15 16:43:59 EDT 2015
https://github.com/krb5/krb5/commit/7cad84e1df664f9a1513a2899661bf2b62908dd7
commit 7cad84e1df664f9a1513a2899661bf2b62908dd7
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Feb 9 15:23:05 2015 -0500
Rename krbtgt variable in KDC code
In a TGS request, the header ticket server is usually a local or
cross-realm TGS principal, but for ticket modification requests it
doesn't have to be. Similarly, the server for an AS request is
usually a krbtgt principal, but in some cases it is not. Since the
KDC code must consider all possibilities, avoid using the name
"krbtgt" for entries which aren't necessarily TGTs.
In process_tgs_req(), rename krbtgt to header_server and tgskey to
header_key. In handle_authdata(), rename the parameters similarly and
pass NULL from process_as_req() for the header_server and header_key
parameters; the code which uses those parameters is adjusted to match.
In validate_transit_path(), rename krbtgt to header_srv.
Do not change the semantics of the sign_authdata DAL method at this
time, but more accurately document the krbtgt and krbtgt_key
parameters.
src/include/kdb.h | 14 ++++++++------
src/include/krb5/kdcauthdata_plugin.h | 5 +++--
src/kdc/do_as_req.c | 4 ++--
src/kdc/do_tgs_req.c | 20 +++++++++++---------
src/kdc/kdc_authdata.c | 32 ++++++++++++++++++++++----------
src/kdc/kdc_util.c | 8 ++++----
src/kdc/kdc_util.h | 4 ++--
7 files changed, 52 insertions(+), 35 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 1563a62..67d7557 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1223,9 +1223,11 @@ typedef struct _kdb_vftabl {
*
* server: The DB entry of the service principal.
*
- * krbtgt: For TGS requests, the DB entry of the (possibly foreign)
- * ticket granting service of the TGT. For AS requests, the DB entry
- * of the service principal.
+ * krbtgt: For TGS requests, the DB entry of the server of the ticket in
+ * the PA-TGS-REQ padata; this is usually a local or cross-realm krbtgt
+ * principal, but not always. For AS requests, the DB entry of the
+ * service principal; this is usually a local krbtgt principal, but not
+ * always.
*
* client_key: The reply key for the KDC request, before any FAST armor
* is applied. For AS requests, this may be the client's long-term key
@@ -1234,9 +1236,9 @@ typedef struct _kdb_vftabl {
*
* server_key: The server key used to encrypt the returned ticket.
*
- * krbtgt_key: For TGS requests, the key of the (possibly foreign) ticket
- * granting service of the TGT. for AS requests, the service
- * principal's key.
+ * krbtgt_key: For TGS requests, the key used to decrypt the ticket in
+ * the PA-TGS-REQ padata. For AS requests, the server key used to
+ * encrypt the returned ticket.
*
* session_key: The session key of the ticket being granted to the
* requestor.
diff --git a/src/include/krb5/kdcauthdata_plugin.h b/src/include/krb5/kdcauthdata_plugin.h
index 9698566..53fe69c 100644
--- a/src/include/krb5/kdcauthdata_plugin.h
+++ b/src/include/krb5/kdcauthdata_plugin.h
@@ -107,9 +107,10 @@ typedef krb5_error_code
krb5_kdcauthdata_moddata moddata,
unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
- krb5_db_entry *tgs, krb5_keyblock *client_key,
+ krb5_db_entry *header_server,
+ krb5_keyblock *client_key,
krb5_keyblock *server_key,
- krb5_keyblock *tgs_key,
+ krb5_keyblock *header_key,
krb5_data *req_pkt, krb5_kdc_req *req,
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_req,
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index a1db924..6653126 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -260,10 +260,10 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
state->c_flags,
state->client,
state->server,
- state->server,
+ NULL,
&state->client_keyblock,
&state->server_keyblock,
- &state->server_keyblock,
+ NULL,
state->req_pkt,
state->request,
NULL, /* for_user_princ */
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 64a78e7..c8cd80d 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -102,7 +102,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
const krb5_fulladdr *from, krb5_data **response)
{
krb5_keyblock * subkey = 0;
- krb5_keyblock * tgskey = 0;
+ krb5_keyblock *header_key = NULL;
krb5_kdc_req *request = 0;
krb5_db_entry *server = NULL;
krb5_db_entry *stkt_server = NULL;
@@ -124,7 +124,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
const char *status = 0;
krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
- krb5_db_entry *client = NULL, *krbtgt = NULL;
+ krb5_db_entry *client = NULL, *header_server = NULL;
krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
@@ -181,7 +181,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
errcode = kdc_process_tgs_req(kdc_active_realm,
request, from, pkt, &header_ticket,
- &krbtgt, &tgskey, &subkey, &pa_tgs_req);
+ &header_server, &header_key, &subkey,
+ &pa_tgs_req);
if (header_ticket && header_ticket->enc_part2)
cprinc = header_ticket->enc_part2->client;
@@ -613,7 +614,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
- server, krbtgt);
+ server, header_server);
if (errcode) {
status = "NON_TRANSITIVE";
goto cleanup;
@@ -640,11 +641,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
goto cleanup;
}
- errcode = handle_authdata(kdc_context, c_flags, client, server, krbtgt,
+ errcode = handle_authdata(kdc_context, c_flags, client, server,
+ header_server,
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
&encrypting_key, /* U2U or server key */
- tgskey,
+ header_key,
pkt,
request,
s4u_x509_user ?
@@ -840,7 +842,7 @@ cleanup:
if (state)
kdc_free_rstate(state);
krb5_db_free_principal(kdc_context, server);
- krb5_db_free_principal(kdc_context, krbtgt);
+ krb5_db_free_principal(kdc_context, header_server);
krb5_db_free_principal(kdc_context, client);
if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
@@ -852,8 +854,8 @@ cleanup:
krb5_free_authdata(kdc_context, kdc_issued_auth_data);
if (subkey != NULL)
krb5_free_keyblock(kdc_context, subkey);
- if (tgskey != NULL)
- krb5_free_keyblock(kdc_context, tgskey);
+ if (header_key != NULL)
+ krb5_free_keyblock(kdc_context, header_key);
if (reply.padata)
krb5_free_pa_data(kdc_context, reply.padata);
if (reply_encpart.enc_padata)
diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index 704e130..2055d03 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -314,8 +314,8 @@ copy_tgt_authdata(krb5_context context, krb5_kdc_req *request,
static krb5_error_code
fetch_kdb_authdata(krb5_context context, unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
- krb5_db_entry *krbtgt, krb5_keyblock *client_key,
- krb5_keyblock *server_key, krb5_keyblock *krbtgt_key,
+ krb5_db_entry *header_server, krb5_keyblock *client_key,
+ krb5_keyblock *server_key, krb5_keyblock *header_key,
krb5_kdc_req *req, krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_req,
krb5_enc_tkt_part *enc_tkt_reply)
@@ -324,6 +324,8 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
krb5_authdata **tgt_authdata, **db_authdata = NULL;
krb5_boolean tgs_req = (req->msg_type == KRB5_TGS_REQ);
krb5_const_principal actual_client;
+ krb5_db_entry *krbtgt;
+ krb5_keyblock *krbtgt_key;
/*
* Check whether KDC issued authorization data should be included.
@@ -361,6 +363,15 @@ fetch_kdb_authdata(krb5_context context, unsigned int flags,
else
actual_client = enc_tkt_reply->client;
+ /*
+ * For DAL major version 5, always pass "krbtgt" and "krbtgt_key"
+ * parameters which are usually, but not always, for local or cross-realm
+ * TGT principals. In the future we might rename the parameters and pass
+ * NULL for AS requests.
+ */
+ krbtgt = (header_server != NULL) ? header_server : server;
+ krbtgt_key = (header_key != NULL) ? header_key : server_key;
+
tgt_authdata = tgs_req ? enc_tkt_req->authorization_data : NULL;
ret = krb5_db_sign_authdata(context, flags, actual_client, client,
server, krbtgt, client_key, server_key,
@@ -694,8 +705,8 @@ cleanup:
krb5_error_code
handle_authdata(krb5_context context, unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
- krb5_db_entry *krbtgt, krb5_keyblock *client_key,
- krb5_keyblock *server_key, krb5_keyblock *krbtgt_key,
+ krb5_db_entry *header_server, krb5_keyblock *client_key,
+ krb5_keyblock *server_key, krb5_keyblock *header_key,
krb5_data *req_pkt, krb5_kdc_req *req,
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_req,
@@ -720,9 +731,9 @@ handle_authdata(krb5_context context, unsigned int flags,
for (i = 0; i < n_authdata_modules; i++) {
h = &authdata_modules[i];
ret = h->vt.handle(context, h->data, flags, client, server,
- krbtgt, client_key, server_key, krbtgt_key,
- req_pkt, req, for_user_princ, enc_tkt_req,
- enc_tkt_reply);
+ header_server, client_key, server_key,
+ header_key, req_pkt, req, for_user_princ,
+ enc_tkt_req, enc_tkt_reply);
if (ret)
kdc_err(context, ret, "from authdata module %s", h->vt.name);
}
@@ -738,15 +749,16 @@ handle_authdata(krb5_context context, unsigned int flags,
if (!isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS)) {
/* Fetch authdata from the KDB if appropriate. */
- ret = fetch_kdb_authdata(context, flags, client, server, krbtgt,
- client_key, server_key, krbtgt_key, req,
+ ret = fetch_kdb_authdata(context, flags, client, server, header_server,
+ client_key, server_key, header_key, req,
for_user_princ, enc_tkt_req, enc_tkt_reply);
if (ret)
return ret;
/* Validate and insert AD-SIGNTICKET authdata. This must happen last
* since it contains a signature over the other authdata. */
- ret = handle_signticket(context, flags, client, server, krbtgt_key,
+ ret = handle_signticket(context, flags, client, server,
+ (header_key != NULL) ? header_key : server_key,
req, for_user_princ, enc_tkt_req,
enc_tkt_reply);
if (ret)
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 48be1ae..bf6f17b 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1599,7 +1599,7 @@ krb5_error_code
validate_transit_path(krb5_context context,
krb5_const_principal client,
krb5_db_entry *server,
- krb5_db_entry *krbtgt)
+ krb5_db_entry *header_srv)
{
/* Incoming */
if (isflagset(server->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE)) {
@@ -1607,9 +1607,9 @@ validate_transit_path(krb5_context context,
}
/* Outgoing */
- if (isflagset(krbtgt->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) &&
- (!krb5_principal_compare(context, server->princ, krbtgt->princ) ||
- !krb5_realm_compare(context, client, krbtgt->princ))) {
+ if (isflagset(header_srv->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) &&
+ (!krb5_principal_compare(context, server->princ, header_srv->princ) ||
+ !krb5_realm_compare(context, client, header_srv->princ))) {
return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
}
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 479a13c..c522f0b 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -210,10 +210,10 @@ handle_authdata (krb5_context context,
unsigned int flags,
krb5_db_entry *client,
krb5_db_entry *server,
- krb5_db_entry *krbtgt,
+ krb5_db_entry *header_server,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
+ krb5_keyblock *header_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
More information about the cvs-krb5
mailing list