end of pointer arrays in krb5_creds
ghudson at mit.edu
Sun Sep 18 02:05:35 EDT 2016
On 09/16/2016 04:40 AM, Rick van Rein wrote:
> The hostaddresses are OPTIONAL, so I would have expected the array pointer (so the **) to be NULL when no host addresses are present in the krb5_creds structure. However, when using "kinit -A" to login, I do find an array but its first element is NULL.
(kinit -A is normally the default, right?)
Most of the time, your instinct is correct; in Kerberos ASN.1 objects,
sequences like this are usually optional but non-empty when present, and
the corresponding MIT krb5 C structures contain a NULL pointer when the
sequence is absent. For instance, EncTicketPart contains the field
"caddr  HostAddresses OPTIONAL", where HostAddresses has the comment
"HostAddresses is always used as an OPTIONAL field and should not be
empty." And in a krb5_enc_tkt_part object, the caddrs field will be
NULL if no address restrictions are present in the ticket.
However, the krb5_creds type is marshalled to and from ccache files
using a different subsystem, and the unmarshalling code always creates
an array for the addresses and authdata fields. This is a historical
inconsistency, which there probably isn't much benefit in fixing.
> Normally I would have assumed that a list is prescribing, unless absent. But it seems that the empty list is an exception, and treated as a carte blanche re. host addresses.
Enforcement of address restrictions isn't done using a krb5_creds
object. When you acquire a ticket, the KDC tells the client what
address restrictions are present in the ticket for the client's
information, and the client notes that in the krb5_creds object that it
marshals out to the ccache. That information can be shown with klist
-a, but otherwise isn't used (as far as I know).
More information about the krbdev