krb5 commit: Refactor cache checking in TGS client code
Greg Hudson
ghudson at mit.edu
Fri Aug 7 18:49:14 EDT 2020
https://github.com/krb5/krb5/commit/8f2f0a2e8f65c4b39883129967301e3a8986218b
commit 8f2f0a2e8f65c4b39883129967301e3a8986218b
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Jul 23 01:52:43 2020 -0400
Refactor cache checking in TGS client code
src/lib/krb5/krb/get_creds.c | 86 ++++++++++++++++++++++++-----------------
src/lib/krb5/krb/int-proto.h | 6 +-
src/lib/krb5/krb/s4u_creds.c | 21 +---------
3 files changed, 55 insertions(+), 58 deletions(-)
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index b3f01be..32401bc 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -48,10 +48,10 @@
* and options. The fields of *mcreds will be aliased to the fields
* of in_creds, so the contents of *mcreds should not be freed.
*/
-krb5_error_code
-krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
- krb5_creds *in_creds, krb5_creds *mcreds,
- krb5_flags *fields)
+static krb5_error_code
+construct_matching_creds(krb5_context context, krb5_flags options,
+ krb5_creds *in_creds, krb5_creds *mcreds,
+ krb5_flags *fields)
{
if (!in_creds || !in_creds->server || !in_creds->client)
return EINVAL;
@@ -110,6 +110,50 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
return 0;
}
+/* Simple wrapper around krb5_cc_retrieve_cred which allocates the result
+ * container. */
+static krb5_error_code
+cache_get(krb5_context context, krb5_ccache ccache, krb5_flags flags,
+ krb5_creds *in_creds, krb5_creds **out_creds)
+{
+ krb5_error_code code;
+ krb5_creds *creds;
+
+ *out_creds = NULL;
+
+ creds = malloc(sizeof(*creds));
+ if (creds == NULL)
+ return ENOMEM;
+
+ code = krb5_cc_retrieve_cred(context, ccache, flags, in_creds, creds);
+ if (code != 0) {
+ free(creds);
+ return code;
+ }
+
+ *out_creds = creds;
+ return 0;
+}
+
+krb5_error_code
+k5_get_cached_cred(krb5_context context, krb5_flags options,
+ krb5_ccache ccache, krb5_creds *in_creds,
+ krb5_creds **creds_out)
+{
+ krb5_error_code code;
+ krb5_creds mcreds;
+ krb5_flags fields;
+
+ *creds_out = NULL;
+
+ code = construct_matching_creds(context, options, in_creds,
+ &mcreds, &fields);
+ if (code)
+ return code;
+
+ return cache_get(context, ccache, fields, &mcreds, creds_out);
+}
+
/*
* krb5_tkt_creds_step() is implemented using a tail call style. Every
* begin_*, step_*, or *_request function is responsible for returning an
@@ -235,31 +279,6 @@ cleanup:
return code;
}
-/* Simple wrapper around krb5_cc_retrieve_cred which allocates the result
- * container. */
-static krb5_error_code
-cache_get(krb5_context context, krb5_ccache ccache, krb5_flags flags,
- krb5_creds *in_creds, krb5_creds **out_creds)
-{
- krb5_error_code code;
- krb5_creds *creds;
-
- *out_creds = NULL;
-
- creds = malloc(sizeof(*creds));
- if (creds == NULL)
- return ENOMEM;
-
- code = krb5_cc_retrieve_cred(context, ccache, flags, in_creds, creds);
- if (code != 0) {
- free(creds);
- return code;
- }
-
- *out_creds = creds;
- return 0;
-}
-
/*
* Set up the request given by ctx->tgs_in_creds, using ctx->cur_tgt. KDC
* options for the requests are determined by ctx->cur_tgt->ticket_flags and
@@ -1023,18 +1042,13 @@ static krb5_error_code
check_cache(krb5_context context, krb5_tkt_creds_context ctx)
{
krb5_error_code code;
- krb5_creds mcreds;
- krb5_flags fields;
krb5_creds req_in_creds;
/* Check the cache for the originally requested server principal. */
req_in_creds = *ctx->in_creds;
req_in_creds.server = ctx->req_server;
- code = krb5int_construct_matching_creds(context, ctx->req_options,
- &req_in_creds, &mcreds, &fields);
- if (code)
- return code;
- code = cache_get(context, ctx->ccache, fields, &mcreds, &ctx->reply_creds);
+ code = k5_get_cached_cred(context, ctx->req_options, ctx->ccache,
+ &req_in_creds, &ctx->reply_creds);
if (code == 0) {
ctx->state = STATE_COMPLETE;
return 0;
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index fe61beb..5211044 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -79,9 +79,9 @@ clpreauth_otp_initvt(krb5_context context, int maj_ver, int min_ver,
krb5_plugin_vtable vtable);
krb5_error_code
-krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
- krb5_creds *in_creds, krb5_creds *mcreds,
- krb5_flags *fields);
+k5_get_cached_cred(krb5_context context, krb5_flags options,
+ krb5_ccache ccache, krb5_creds *in_creds,
+ krb5_creds **creds_out);
#define IS_TGS_PRINC(p) ((p)->length == 2 && \
data_eq_string((p)->data[0], KRB5_TGS_NAME))
diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
index 00ff613..fe15b24 100644
--- a/src/lib/krb5/krb/s4u_creds.c
+++ b/src/lib/krb5/krb/s4u_creds.c
@@ -1152,29 +1152,12 @@ k5_get_proxy_cred_from_kdc(krb5_context context, krb5_flags options,
{
krb5_error_code code;
krb5_const_principal canonprinc;
- krb5_creds mcreds, copy, *creds, *ncreds;
- krb5_flags fields;
+ krb5_creds copy, *creds;
struct canonprinc iter = { in_creds->server, .no_hostrealm = TRUE };
*out_creds = NULL;
- code = krb5int_construct_matching_creds(context, options, in_creds,
- &mcreds, &fields);
- if (code != 0)
- return code;
-
- ncreds = calloc(1, sizeof(*ncreds));
- if (ncreds == NULL)
- return ENOMEM;
- ncreds->magic = KV5M_CRED;
-
- code = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, ncreds);
- if (code) {
- free(ncreds);
- } else {
- *out_creds = ncreds;
- }
-
+ code = k5_get_cached_cred(context, options, ccache, in_creds, out_creds);
if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) ||
options & KRB5_GC_CACHED)
return code;
More information about the cvs-krb5
mailing list