From: Luke Howard Date: Tue, 25 Aug 2009 18:02:06 +0000 (+0000) Subject: access krb5_authdata_context via krb5_auth_context X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3fe17d248078414d2faef1abeb86f99ac391c439;p=thirdparty%2Fkrb5.git access krb5_authdata_context via krb5_auth_context git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22601 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 22c0b4a047..b74effacb0 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -2741,19 +2741,6 @@ krb5_error_code krb5_rd_req_decoded_anyflag krb5_flags *, krb5_ticket **); -#define RD_REQ_CHECK_VALID_FLAG 0x1 - -krb5_error_code KRB5_CALLCONV krb5_rd_req_extended - (krb5_context, - krb5_auth_context *, - const krb5_data *, - krb5_const_principal, - krb5_keytab, - krb5_flags, - krb5_flags *, - krb5_ticket **, - krb5_authdata_context *); - krb5_error_code KRB5_CALLCONV krb5_cc_register (krb5_context, const krb5_cc_ops *, @@ -2798,6 +2785,18 @@ krb5_error_code krb5_auth_con_get_subkey_enctype krb5_auth_context, krb5_enctype *); +krb5_error_code +krb5_auth_con_get_authdata_context + (krb5_context context, + krb5_auth_context auth_context, + krb5_authdata_context *ad_context); + +krb5_error_code +krb5_auth_con_set_authdata_context + (krb5_context context, + krb5_auth_context auth_context, + krb5_authdata_context ad_context); + krb5_error_code KRB5_CALLCONV krb5int_server_decrypt_ticket_keyblock (krb5_context context, diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 08430cff6a..99b588e6a4 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -536,11 +536,11 @@ kg_accept_krb5(minor_status, context_handle, goto fail; } - if ((code = krb5_rd_req_extended(context, &auth_context, &ap_req, - cred->name->princ, - cred->keytab, RD_REQ_CHECK_VALID_FLAG, - &ap_req_options, - &ticket, &ad_context))) { + if ((code = krb5_rd_req(context, &auth_context, &ap_req, + cred->name->princ, + cred->keytab, + &ap_req_options, + &ticket))) { major_status = GSS_S_FAILURE; goto fail; } @@ -821,14 +821,17 @@ kg_accept_krb5(minor_status, context_handle, major_status = GSS_S_FAILURE; goto fail; } - + if ((code = krb5_auth_con_get_authdata_context(context, auth_context, + &ad_context))) { + major_status = GSS_S_FAILURE; + goto fail; + } if ((code = kg_init_name(context, authdat->client, - ad_context, KG_INIT_NAME_NO_COPY, &ctx->there))) { + ad_context, 0, &ctx->there))) { major_status = GSS_S_FAILURE; goto fail; } authdat->client = NULL; - ad_context = NULL; if ((code = krb5_auth_con_getrecvsubkey(context, auth_context, &ctx->subkey))) { @@ -1171,8 +1174,6 @@ done: if (!verifier_cred_handle && cred_handle) { krb5_gss_release_cred(&tmp_minor_status, &cred_handle); } - if (ad_context) - krb5_authdata_context_free(context, ad_context); if (context) { if (major_status && *minor_status) save_error_info(*minor_status, context); diff --git a/src/lib/gssapi/krb5/delete_sec_context.c b/src/lib/gssapi/krb5/delete_sec_context.c index 14131bb7c0..e2da3dc986 100644 --- a/src/lib/gssapi/krb5/delete_sec_context.c +++ b/src/lib/gssapi/krb5/delete_sec_context.c @@ -109,9 +109,6 @@ krb5_gss_delete_sec_context(minor_status, context_handle, output_token) if (ctx->authdata) krb5_free_authdata(context, ctx->authdata); - if (ctx->ad_context) - krb5_authdata_context_free(context, ctx->ad_context); - if (ctx->k5_context) krb5_free_context(ctx->k5_context); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 0cd01bb07d..2591b2a1c8 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -221,7 +221,6 @@ typedef struct _krb5_gss_ctx_id_rec { krb5_cksumtype acceptor_subkey_cksumtype; int cred_rcache; /* did we get rcache from creds? */ krb5_authdata **authdata; - krb5_authdata_context ad_context; } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t; extern g_set kg_vdb; diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index 41a2578e0a..b88219cdb1 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -66,6 +66,8 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) krb5_rc_close(context, auth_context->rcache); if (auth_context->permitted_etypes) free(auth_context->permitted_etypes); + if (auth_context->ad_context) + krb5_authdata_context_free(context, auth_context->ad_context); free(auth_context); return 0; } @@ -568,3 +570,21 @@ krb5_auth_con_get_subkey_enctype(krb5_context context, return 0; } +krb5_error_code KRB5_CALLCONV +krb5_auth_con_get_authdata_context(krb5_context context, + krb5_auth_context auth_context, + krb5_authdata_context *ad_context) +{ + *ad_context = auth_context->ad_context; + return 0; +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_set_authdata_context(krb5_context context, + krb5_auth_context auth_context, + krb5_authdata_context ad_context) +{ + auth_context->ad_context = ad_context; + return 0; +} + diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h index be63bedbf4..6254ac67c2 100644 --- a/src/lib/krb5/krb/auth_con.h +++ b/src/lib/krb5/krb/auth_con.h @@ -24,6 +24,7 @@ struct _krb5_auth_context { krb5_mk_req_checksum_func checksum_func; void *checksum_func_data; krb5_enctype negotiated_etype; + krb5_authdata_context ad_context; }; diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index c0e7d99dd0..b81fe2566b 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -59,13 +59,6 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds *in_cred, krb5_creds **out_cred, krb5_creds ***tgts, int kdcopt); -krb5_error_code -krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, - const krb5_ap_req *req, krb5_const_principal server, - krb5_keytab keytab, krb5_flags flags, - krb5_flags *ap_req_options, krb5_ticket **ticket, - krb5_authdata_context *ad_context); - #define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew) #define IS_TGS_PRINC(c, p) \ diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index 50a2d2ddfe..50c3a90111 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -8,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,55 +22,50 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_req() */ #include "k5-int.h" #include "auth_con.h" -#include "int-proto.h" /* * Parses a KRB_AP_REQ message, returning its contents. - * + * * server specifies the expected server's name for the ticket. - * + * * keyproc specifies a procedure to generate a decryption key for the * ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result * used as a decryption key. If keyproc is NULL, then fetchfrom is checked; * if it is non-NULL, it specifies a parameter name from which to retrieve the * decryption key. If fetchfrom is NULL, then the default key store is * consulted. - * + * * returns system errors, encryption errors, replay errors */ krb5_error_code KRB5_CALLCONV -krb5_rd_req_extended(krb5_context context, krb5_auth_context *auth_context, - const krb5_data *inbuf, krb5_const_principal server, - krb5_keytab keytab, krb5_flags flags, - krb5_flags *ap_req_options, krb5_ticket **ticket, - krb5_authdata_context *ad_context) +krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, + const krb5_data *inbuf, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket) { krb5_error_code retval; krb5_ap_req * request; krb5_auth_context new_auth_context; krb5_keytab new_keytab = NULL; - if (ad_context != NULL) - *ad_context = NULL; - if (!krb5_is_ap_req(inbuf)) return KRB5KRB_AP_ERR_MSG_TYPE; -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT if ((retval = decode_krb5_ap_req(inbuf, &request))) { switch (retval) { case KRB5_BADMSGTYPE: - return KRB5KRB_AP_ERR_BADVERSION; + return KRB5KRB_AP_ERR_BADVERSION; default: return(retval); - } + } } #endif /* LEAN_CLIENT */ @@ -83,7 +78,7 @@ krb5_rd_req_extended(krb5_context context, krb5_auth_context *auth_context, } -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT /* Get a keytab if necessary. */ if (keytab == NULL) { if ((retval = krb5_kt_default(context, &new_keytab))) @@ -92,11 +87,10 @@ krb5_rd_req_extended(krb5_context context, krb5_auth_context *auth_context, } #endif /* LEAN_CLIENT */ - retval = krb5_rd_req_decoded_opt(context, auth_context, request, server, - keytab, flags, - ap_req_options, ticket, ad_context); + retval = krb5_rd_req_decoded(context, auth_context, request, server, + keytab, ap_req_options, ticket); -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT if (new_keytab != NULL) (void) krb5_kt_close(context, new_keytab); #endif /* LEAN_CLIENT */ @@ -112,22 +106,3 @@ cleanup_request: return retval; } -krb5_error_code KRB5_CALLCONV -krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, - const krb5_data *inbuf, krb5_const_principal server, - krb5_keytab keytab, krb5_flags *ap_req_options, - krb5_ticket **ticket) -{ - krb5_error_code retval; - krb5_authdata_context ad_context = NULL; - - retval = krb5_rd_req_extended(context, auth_context, inbuf, server, - keytab, RD_REQ_CHECK_VALID_FLAG, - ap_req_options, ticket, &ad_context); - - if (retval == 0) - krb5_authdata_context_free(context, ad_context); - - return retval; -} - diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 1dcfdc24d3..cf0671b966 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -203,12 +203,11 @@ debug_log_authz_data(const char *which, krb5_authdata **a) } #endif -krb5_error_code +static krb5_error_code krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, - krb5_keytab keytab, krb5_flags flags, - krb5_flags *ap_req_options, krb5_ticket **ticket, - krb5_authdata_context *ad_context) + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket, int check_valid_flag) { krb5_error_code retval = 0; krb5_principal_data princ_data; @@ -219,11 +218,6 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, int permitted_etypes_len = 0; krb5_keyblock decrypt_key; - assert((flags & RD_REQ_CHECK_VALID_FLAG) == 0 || ad_context != NULL); - - if (ad_context != NULL) - *ad_context = NULL; - decrypt_key.enctype = ENCTYPE_NULL; decrypt_key.contents = NULL; @@ -248,7 +242,7 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock, req->ticket))) goto cleanup; - if (flags & RD_REQ_CHECK_VALID_FLAG) { + if (check_valid_flag) { decrypt_key = *((*auth_context)->keyblock); free((*auth_context)->keyblock); } else @@ -257,7 +251,7 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, } else { if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, server, keytab, - (flags & RD_REQ_CHECK_VALID_FLAG) ? &decrypt_key : NULL))) + check_valid_flag ? &decrypt_key : NULL))) goto cleanup; } @@ -267,7 +261,7 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, #ifndef LEAN_CLIENT if ((retval = decrypt_authenticator(context, req, &((*auth_context)->authentp), - (flags & RD_REQ_CHECK_VALID_FLAG) != 0))) + check_valid_flag))) goto cleanup; #endif if (!krb5_principal_compare(context, (*auth_context)->authentp->client, @@ -394,17 +388,17 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, if ((retval = krb5int_check_clockskew(context, (*auth_context)->authentp->ctime))) goto cleanup; - if (flags & RD_REQ_CHECK_VALID_FLAG) { + if (check_valid_flag) { if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) { retval = KRB5KRB_AP_ERR_TKT_INVALID; goto cleanup; } - assert(ad_context != NULL); - if ((retval = krb5_authdata_context_init(context, ad_context))) + if ((retval = krb5_authdata_context_init(context, + &(*auth_context)->ad_context))) goto cleanup; if ((retval = krb5int_verify_authdata(context, - *ad_context, + (*auth_context)->ad_context, auth_context, &decrypt_key, req, @@ -553,12 +547,8 @@ cleanup: if (req->ticket->enc_part2) krb5_free_enc_tkt_part(context, req->ticket->enc_part2); req->ticket->enc_part2 = NULL; - if (ad_context != NULL && *ad_context != NULL) { - krb5_authdata_context_free(context, *ad_context); - *ad_context = NULL; - } } - if (flags & RD_REQ_CHECK_VALID_FLAG) + if (check_valid_flag) krb5_free_keyblock_contents(context, &decrypt_key); return retval; @@ -566,33 +556,30 @@ cleanup: krb5_error_code krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, - const krb5_ap_req *req, krb5_const_principal server, - krb5_keytab keytab, krb5_flags *ap_req_options, - krb5_ticket **ticket) + const krb5_ap_req *req, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket) { krb5_error_code retval; - krb5_authdata_context ad_context; retval = krb5_rd_req_decoded_opt(context, auth_context, - req, server, keytab, RD_REQ_CHECK_VALID_FLAG, + req, server, keytab, ap_req_options, ticket, - &ad_context); - if (retval == 0) - krb5_authdata_context_free(context, ad_context); + 1); /* check_valid_flag */ return retval; } krb5_error_code krb5_rd_req_decoded_anyflag(krb5_context context, - krb5_auth_context *auth_context, - const krb5_ap_req *req, - krb5_const_principal server, krb5_keytab keytab, - krb5_flags *ap_req_options, krb5_ticket **ticket) + krb5_auth_context *auth_context, + const krb5_ap_req *req, + krb5_const_principal server, krb5_keytab keytab, + krb5_flags *ap_req_options, krb5_ticket **ticket) { krb5_error_code retval; retval = krb5_rd_req_decoded_opt(context, auth_context, - req, server, keytab, - 0, /* don't check valid flag */ - ap_req_options, ticket, NULL); + req, server, keytab, + ap_req_options, ticket, + 0); /* don't check_valid_flag */ return retval; } diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index bd0816c0aa..5c7d40bda1 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -105,6 +105,7 @@ krb5_appdefault_string krb5_auth_con_free krb5_auth_con_genaddrs krb5_auth_con_get_checksum_func +krb5_auth_con_get_authdata_context krb5_auth_con_getaddrs krb5_auth_con_getauthenticator krb5_auth_con_getflags @@ -120,6 +121,7 @@ krb5_auth_con_getremotesubkey krb5_auth_con_getsendsubkey krb5_auth_con_init krb5_auth_con_initivector +krb5_auth_con_set_authdata_context krb5_auth_con_set_checksum_func krb5_auth_con_set_req_cksumtype krb5_auth_con_set_safe_cksumtype @@ -457,7 +459,6 @@ krb5_rd_rep_dce krb5_rd_req krb5_rd_req_decoded krb5_rd_req_decoded_anyflag -krb5_rd_req_extended krb5_rd_safe krb5_read_message krb5_read_password