Add a new krb5_context field for the config-file tgs_enctypes, which

applications cannot override, and use it for ticket-granting tickets needed to
acquire some desired service ticket.

ticket: 1429
tags: pullup
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15411 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index 327e3e3974b0027f727fa89e23de079e2afb91fb..00f359f4a0dedd810c4545ca417eb113e5476cf9 100644 (file)
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,8 @@
+2003-05-09  Ken Raeburn  <raeburn@mit.edu>
+
+       * k5-int.h (struct _krb5_context): New fields conf_tgs_ktypes,
+       conf_tgs_ktypes_count, use_conf_ktypes.
+
 2003-05-09  Tom Yu  <tlyu@mit.edu>
 
        * krb5.hin: Add krb5_auth_con_getsendsubkey,

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index ccbd1689994a628d32dbff67a194589bb9dafe4f..596784bef3ec2fb9d995a1965e81c12a5e005211 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1017,6 +1017,17 @@ struct _krb5_context {
           absolute limit on the UDP packet size.  */
        int             udp_pref_limit;
 
+       /* This is the tgs_ktypes list as read from the profile, or
+          set to compiled-in defaults.  The application code cannot
+          override it.  This is used for session keys for
+          intermediate ticket-granting tickets used to acquire the
+          requested ticket (the session key of which may be
+          constrained by tgs_ktypes above).  */
+       krb5_enctype    *conf_tgs_ktypes;
+       int             conf_tgs_ktypes_count;
+       /* Use the _configured version?  */
+       krb5_boolean    use_conf_ktypes;
+
 #ifdef KRB5_DNS_LOOKUP
         krb5_boolean    profile_in_memory;
 #endif /* KRB5_DNS_LOOKUP */

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index d6663bfe85c38973b5da7a4fda7e7e7ee577d200..46c4754d614b843a99c827b3de27ae7a4557f336 100644 (file)
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,15 @@
+2003-05-09  Ken Raeburn  <raeburn@mit.edu>
+
+       * init_ctx.c (init_common): Copy tgs_ktypes array to
+       conf_tgs_ktypes.  Clear use_conf_ktypes.
+       (krb5_free_context): Free conf_tgs_ktypes.
+       (krb5_get_tgs_ktypes): Use use_conf_ktypes to choose between
+       tgs_ktypes and conf_tgs_ktypes.
+
+       * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Set use_conf_ktypes
+       in context to 1 for all operations except the acquisition of the
+       desired service ticket.
+
 2003-05-09  Tom Yu  <tlyu@mit.edu>
 
        * auth_con.c (krb5_auth_con_setsendsubkey) 

diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index b5c99428af4848c65aeaa40e1c1d981cc75398b0..8ca62cce634ed8fcaf2cd038691adddd995a2c98 100644 (file)
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1994 by the Massachusetts Institute of Technology.
+ * Copyright (c) 1994,2003 by the Massachusetts Institute of Technology.
  * Copyright (c) 1994 CyberSAFE Corporation
  * Copyright (c) 1993 Open Computing Security Group
  * Copyright (c) 1990,1991 by the Massachusetts Institute of Technology.
@@ -76,6 +76,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
   krb5_principal  *top_server = NULL;
   krb5_principal  *next_server = NULL;
   unsigned int    nservers = 0;
+  krb5_boolean   old_use_conf_ktypes = context->use_conf_ktypes;
 
   /* in case we never get a TGT, zero the return */
 
@@ -114,6 +115,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
       goto cleanup;
   }
 
+    context->use_conf_ktypes = 1;
   if ((retval = krb5_cc_retrieve_cred(context, ccache,
                                      KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
                                      &tgtq, &tgt))) {
@@ -231,21 +233,17 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
     
        krb5_free_cred_contents(context, &tgtq);
        memset(&tgtq, 0, sizeof(tgtq));
-#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
        tgtq.times        = tgt.times;
-#else
-       memcpy(&tgtq.times, &tgt.times, sizeof(krb5_ticket_times));
-#endif
-
        if ((retval = krb5_copy_principal(context, tgt.client, &tgtq.client)))
            goto cleanup;
        if ((retval = krb5_copy_principal(context, int_server, &tgtq.server)))
            goto cleanup;
        tgtq.is_skey      = FALSE;
        tgtq.ticket_flags = tgt.ticket_flags;
-       if ((retval = krb5_get_cred_via_tkt(context, &tgt,
-                                           FLAGS2OPTS(tgtq.ticket_flags),
-                                           tgt.addresses, &tgtq, &tgtr))) {
+       retval = krb5_get_cred_via_tkt(context, &tgt,
+                                      FLAGS2OPTS(tgtq.ticket_flags),
+                                      tgt.addresses, &tgtq, &tgtr);
+       if (retval) {
              
        /*
        * couldn't get one so now loop backwards through the realms
@@ -301,12 +299,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
                  goto cleanup;
              tgtq.is_skey      = FALSE;
              tgtq.ticket_flags = tgt.ticket_flags;
-             if ((retval = krb5_get_cred_via_tkt(context, &tgt,
-                                                 FLAGS2OPTS(tgtq.ticket_flags),
-                                                 tgt.addresses,
-                                                 &tgtq, &tgtr))) {
+             retval = krb5_get_cred_via_tkt(context, &tgt,
+                                            FLAGS2OPTS(tgtq.ticket_flags),
+                                            tgt.addresses,
+                                            &tgtq, &tgtr);
+             if (retval)
                  continue;
-             }
              
              /* save tgt in return array */
              if ((retval = krb5_copy_creds(context, tgtr,
@@ -376,10 +374,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
     goto cleanup;
   }
 
-  retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) |
-                                kdcopt | 
-                                       (in_cred->second_ticket.length ? 
-                                        KDC_OPT_ENC_TKT_IN_SKEY : 0),
+  context->use_conf_ktypes = old_use_conf_ktypes;
+  retval = krb5_get_cred_via_tkt(context, &tgt,
+                                FLAGS2OPTS(tgt.ticket_flags) |
+                                kdcopt |
+                                (in_cred->second_ticket.length ?
+                                 KDC_OPT_ENC_TKT_IN_SKEY : 0),
                                 tgt.addresses, in_cred, out_cred);
 
   /* cleanup and return */
@@ -395,6 +395,7 @@ cleanup:
       if (ret_tgts)  free(ret_tgts);
       krb5_free_cred_contents(context, &tgt);
   }
+  context->use_conf_ktypes = old_use_conf_ktypes;
   return(retval);
 }
 

diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 426337babdd05c299ced353d38732d262c315c19..a37d8e0a75eff49070da0d21d0aa9cc656fa8ac5 100644 (file)
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/init_ctx.c
  *
- * Copyright 1994,1999,2000, 2002  by the Massachusetts Institute of Technology.
+ * Copyright 1994,1999,2000, 2002, 2003  by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -147,6 +147,13 @@ init_common (krb5_context *context, krb5_boolean secure)
        if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL)))
                goto cleanup;
 
+       ctx->conf_tgs_ktypes = calloc(ctx->tgs_ktype_count, sizeof(krb5_enctype));
+       if (ctx->conf_tgs_ktypes == NULL && ctx->tgs_ktype_count != 0)
+           goto cleanup;
+       memcpy(ctx->conf_tgs_ktypes, ctx->tgs_ktypes,
+              sizeof(krb5_enctype) * ctx->tgs_ktype_count);
+       ctx->conf_tgs_ktypes_count = ctx->tgs_ktype_count;
+
        if ((retval = krb5_os_init_context(ctx)))
                goto cleanup;
 
@@ -222,6 +229,7 @@ init_common (krb5_context *context, krb5_boolean secure)
        ctx->fcc_default_format = tmp + 0x0500;
        ctx->scc_default_format = tmp + 0x0500;
        ctx->prompt_types = 0;
+       ctx->use_conf_ktypes = 0;
 
        ctx->udp_pref_limit = -1;
        *context = ctx;
@@ -248,6 +256,11 @@ krb5_free_context(krb5_context ctx)
          ctx->tgs_ktypes = 0;
      }
 
+     if (ctx->conf_tgs_ktypes) {
+        free(ctx->conf_tgs_ktypes);
+        ctx->conf_tgs_ktypes = 0;
+     }
+
      if (ctx->default_realm) {
          free(ctx->default_realm);
          ctx->default_realm = 0;
@@ -296,7 +309,8 @@ krb5_set_default_in_tkt_ktypes(krb5_context context, const krb5_enctype *ktypes)
 }
 
 static krb5_error_code
-get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr, int ctx_count, krb5_enctype *ctx_list)
+get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr,
+                      int ctx_count, krb5_enctype *ctx_list)
 {
     krb5_enctype *old_ktypes;
 
@@ -431,9 +445,16 @@ krb5_error_code
 KRB5_CALLCONV
 krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes)
 {
-    return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
-                                 context->tgs_ktype_count,
-                                 context->tgs_ktypes));
+    if (context->use_conf_ktypes)
+       /* This one is set *only* by reading the config file; it's not
+          set by the application.  */
+       return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+                                     context->conf_tgs_ktypes_count,
+                                     context->conf_tgs_ktypes));
+    else
+       return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+                                     context->tgs_ktype_count,
+                                     context->tgs_ktypes));
 }
 
 krb5_error_code