end of pointer arrays in krb5_creds

Greg Hudson ghudson at mit.edu
Sun Sep 18 02:05:35 EDT 2016

On 09/16/2016 04:40 AM, Rick van Rein wrote:
> The hostaddresses are OPTIONAL, so I would have expected the array pointer (so the **) to be NULL when no host addresses are present in the krb5_creds structure.  However, when using "kinit -A" to login, I do find an array but its first element is NULL.

(kinit -A is normally the default, right?)

Most of the time, your instinct is correct; in Kerberos ASN.1 objects,
sequences like this are usually optional but non-empty when present, and
the corresponding MIT krb5 C structures contain a NULL pointer when the
sequence is absent.  For instance, EncTicketPart contains the field
"caddr [9] HostAddresses OPTIONAL", where HostAddresses has the comment
"HostAddresses is always used as an OPTIONAL field and should not be
empty."  And in a krb5_enc_tkt_part object, the caddrs field will be
NULL if no address restrictions are present in the ticket.

However, the krb5_creds type is marshalled to and from ccache files
using a different subsystem, and the unmarshalling code always creates
an array for the addresses and authdata fields.  This is a historical
inconsistency, which there probably isn't much benefit in fixing.

> Normally I would have assumed that a list is prescribing, unless absent.  But it seems that the empty list is an exception, and treated as a carte blanche re. host addresses.

Enforcement of address restrictions isn't done using a krb5_creds
object.  When you acquire a ticket, the KDC tells the client what
address restrictions are present in the ticket for the client's
information, and the client notes that in the krb5_creds object that it
marshals out to the ccache.  That information can be shown with klist
-a, but otherwise isn't used (as far as I know).

More information about the krbdev mailing list