krb5_get_credentials and krb5_get_credentials_validate. Some formerly local
variables are now arguments.
(krb5_get_credentials): same as before, but calls _core to do some of the work.
(krb5_get_credentials_validate): uses krb5_get_cred_from_kdc_validate and only
stores the returned credential in the cache, instead of storing all of them.
* gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): new function. Same body as
krb5_get_cred_from_kdc, but takes one new argument, kdcopts, and combines it
with the other kdc options when calling krb5_get_cred_via_tkt. This is static
and only called by
(krb5_get_cred_from_kdc): a wrapper that provides the same function it did
before, and
(krb5_get_cred_from_kdc_validate): a wrapper that passes KDC_OPT_VALIDATE, so
that kinit can use it.
We'll probably need another one for renewing tickets as well.
* rd_req_dec.c (krb5_rd_req_decoded_opt): new function. Same body as
krb5_rd_req_decoded, but takes one new argument, check_valid_flag, to determine
whether or not to check if the "invalid flag" is set in the ticket. Also made
static, so that it is only called via:
(krb5_rd_req_decoded): wrapper for krb5_rd_req_decoded_opt that specifies the
"invalid flag" gets checked, and
(krb5_rd_req_decoded_anyflag): wrapper for krb5_rd_req_decoded_opt that
specifies that the "invalid flag" doesn't get checked. (This version is only
called from kdc_util.c:kdc_process_tgs_req.)
* str_conv.c (krb5_string_to_timestamp): double check that strptime at least
parsed *some* of the string, avoid degenerate cases from GNU libc strptime.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7890
dc483132-0cff-0310-8789-
dd5450dbe970
+Fri May 3 00:15:18 1996 Mark Eichin <eichin@cygnus.com>
+
+ * get_creds.c (krb5_get_credentials_core): new function. Common
+ part of krb5_get_credentials and krb5_get_credentials_validate.
+ Some formerly local variables are now arguments.
+ (krb5_get_credentials): same as before, but calls _core to do some
+ of the work.
+ (krb5_get_credentials_validate): uses
+ krb5_get_cred_from_kdc_validate and only stores the returned
+ credential in the cache, instead of storing all of them.
+
+Thu May 2 22:48:56 1996 Mark Eichin <eichin@cygnus.com>
+
+ * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): new function. Same
+ body as krb5_get_cred_from_kdc, but takes one new argument,
+ kdcopts, and combines it with the other kdc options when calling
+ krb5_get_cred_via_tkt. This is static and only called by
+ (krb5_get_cred_from_kdc): a wrapper that provides the same
+ function it did before, and
+ (krb5_get_cred_from_kdc_validate): a wrapper that passes
+ KDC_OPT_VALIDATE, so that kinit can use it.
+ We'll probably need another one for renewing tickets as well.
+
+ * rd_req_dec.c (krb5_rd_req_decoded_opt): new function. Same body
+ as krb5_rd_req_decoded, but takes one new argument,
+ check_valid_flag, to determine whether or not to check if the
+ "invalid flag" is set in the ticket. Also made static, so that it
+ is only called via:
+ (krb5_rd_req_decoded): wrapper for krb5_rd_req_decoded_opt that
+ specifies the "invalid flag" gets checked, and
+ (krb5_rd_req_decoded_anyflag): wrapper for krb5_rd_req_decoded_opt
+ that specifies that the "invalid flag" doesn't get checked. (This
+ version is only called from kdc_util.c:kdc_process_tgs_req.)
+
+Wed May 1 02:26:53 1996 Mark Eichin <eichin@cygnus.com>
+
+ * str_conv.c (krb5_string_to_timestamp): double check that
+ strptime at least parsed *some* of the string, avoid degenerate
+ cases from GNU libc strptime.
+
Tue Apr 30 18:19:01 1996 Ken Raeburn <raeburn@cygnus.com>
* t_ser.c (stuff): New variable.
#define FLAGS2OPTS(flags) (flags & KDC_TKT_COMMON_MASK)
-krb5_error_code
-krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts)
+static krb5_error_code
+krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
krb5_context context;
krb5_ccache ccache;
krb5_creds *in_cred;
krb5_creds **out_cred;
krb5_creds ***tgts;
+ int kdcopt;
{
krb5_creds **ret_tgts = NULL;
int ntgts = 0;
}
retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) |
+ kdcopt |
(in_cred->second_ticket.length ?
KDC_OPT_ENC_TKT_IN_SKEY : 0),
tgt.addresses, in_cred, out_cred);
}
return(retval);
}
+
+krb5_error_code
+krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts)
+ krb5_context context;
+ krb5_ccache ccache;
+ krb5_creds *in_cred;
+ krb5_creds **out_cred;
+ krb5_creds ***tgts;
+{
+
+ return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts,
+ 0);
+}
+
+krb5_error_code
+krb5_get_cred_from_kdc_validate(context, ccache, in_cred, out_cred, tgts)
+ krb5_context context;
+ krb5_ccache ccache;
+ krb5_creds *in_cred;
+ krb5_creds **out_cred;
+ krb5_creds ***tgts;
+{
+
+ return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts,
+ KDC_OPT_VALIDATE);
+}
#include "k5-int.h"
-krb5_error_code INTERFACE
-krb5_get_credentials(context, options, ccache, in_creds, out_creds)
+static krb5_error_code INTERFACE
+krb5_get_credentials_core(context, options, ccache, in_creds, out_creds,
+ mcreds, fields)
krb5_context context;
const krb5_flags options;
krb5_ccache ccache;
krb5_creds *in_creds;
krb5_creds **out_creds;
+ krb5_creds *mcreds;
+ krb5_flags *fields;
{
- krb5_error_code retval, rv2;
- krb5_creds **tgts;
- krb5_creds *ncreds;
- krb5_creds mcreds;
- krb5_flags fields;
+ krb5_error_code retval;
if (!in_creds || !in_creds->server || !in_creds->client)
return EINVAL;
- memset((char *)&mcreds, 0, sizeof(krb5_creds));
- mcreds.magic = KV5M_CREDS;
- mcreds.times.endtime = in_creds->times.endtime;
+ memset((char *)mcreds, 0, sizeof(krb5_creds));
+ mcreds->magic = KV5M_CREDS;
+ mcreds->times.endtime = in_creds->times.endtime;
#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
- mcreds.keyblock = in_creds->keyblock;
+ mcreds->keyblock = in_creds->keyblock;
#else
- memcpy(&mcreds.keyblock, &in_creds->keyblock, sizeof(krb5_keyblock));
+ memcpy(&mcreds->keyblock, &in_creds->keyblock, sizeof(krb5_keyblock));
#endif
- mcreds.authdata = in_creds->authdata;
- mcreds.server = in_creds->server;
- mcreds.client = in_creds->client;
+ mcreds->authdata = in_creds->authdata;
+ mcreds->server = in_creds->server;
+ mcreds->client = in_creds->client;
- fields = KRB5_TC_MATCH_TIMES /*XXX |KRB5_TC_MATCH_SKEY_TYPE */
+ *fields = KRB5_TC_MATCH_TIMES /*XXX |KRB5_TC_MATCH_SKEY_TYPE */
| KRB5_TC_MATCH_AUTHDATA ;
- if (mcreds.keyblock.enctype)
- fields |= KRB5_TC_MATCH_KTYPE;
+ if (mcreds->keyblock.enctype)
+ *fields |= KRB5_TC_MATCH_KTYPE;
if (options & KRB5_GC_USER_USER) {
/* also match on identical 2nd tkt and tkt encrypted in a
session key */
- fields |= KRB5_TC_MATCH_2ND_TKT|KRB5_TC_MATCH_IS_SKEY;
- mcreds.is_skey = TRUE;
- mcreds.second_ticket = in_creds->second_ticket;
+ *fields |= KRB5_TC_MATCH_2ND_TKT|KRB5_TC_MATCH_IS_SKEY;
+ mcreds->is_skey = TRUE;
+ mcreds->second_ticket = in_creds->second_ticket;
if (!in_creds->second_ticket.length)
return KRB5_NO_2ND_TKT;
}
+ return 0;
+}
+
+krb5_error_code INTERFACE
+krb5_get_credentials(context, options, ccache, in_creds, out_creds)
+ krb5_context context;
+ const krb5_flags options;
+ krb5_ccache ccache;
+ krb5_creds *in_creds;
+ krb5_creds **out_creds;
+{
+ krb5_error_code retval;
+ krb5_creds mcreds;
+ krb5_creds *ncreds;
+ krb5_creds **tgts;
+ krb5_flags fields;
+
+ retval = krb5_get_credentials_core(context, options, ccache,
+ in_creds, out_creds,
+ &mcreds, &fields);
+
+ if (retval) return retval;
+
if ((ncreds = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL)
return ENOMEM;
retval = krb5_get_cred_from_kdc(context, ccache, ncreds, out_creds, &tgts);
if (tgts) {
register int i = 0;
+ krb5_error_code rv2;
while (tgts[i]) {
if ((rv2 = krb5_cc_store_cred(context, ccache, tgts[i]))) {
retval = rv2;
retval = krb5_cc_store_cred(context, ccache, *out_creds);
return retval;
}
+
+krb5_error_code INTERFACE
+krb5_get_credentials_validate(context, options, ccache, in_creds, out_creds)
+ krb5_context context;
+ const krb5_flags options;
+ krb5_ccache ccache;
+ krb5_creds *in_creds;
+ krb5_creds **out_creds;
+{
+ krb5_error_code retval;
+ krb5_creds mcreds;
+ krb5_principal tmp;
+ krb5_creds **tgts = 0;
+ krb5_flags fields;
+
+ retval = krb5_get_credentials_core(context, options, ccache,
+ in_creds, out_creds,
+ &mcreds, &fields);
+
+ if (retval) return retval;
+
+ retval = krb5_get_cred_from_kdc_validate(context, ccache,
+ in_creds, out_creds, &tgts);
+ if (retval) return retval;
+ if (tgts) krb5_free_tgt_creds(context, tgts);
+
+ retval = krb5_cc_get_principal(context, ccache, &tmp);
+ if (retval) return retval;
+
+ retval = krb5_cc_initialize(context, ccache, tmp);
+ if (retval) return retval;
+
+ retval = krb5_cc_store_cred(context, ccache, *out_creds);
+ return retval;
+}
return retval;
}
-krb5_error_code
-krb5_rd_req_decoded(context, auth_context, req, server, keytab,
- ap_req_options, ticket)
+static krb5_error_code
+krb5_rd_req_decoded_opt(context, auth_context, req, server, keytab,
+ ap_req_options, ticket, check_valid_flag)
krb5_context context;
krb5_auth_context * auth_context;
const krb5_ap_req * req;
krb5_keytab keytab;
krb5_flags * ap_req_options;
krb5_ticket ** ticket;
+ int check_valid_flag;
{
krb5_error_code retval = 0;
krb5_timestamp currenttime;
goto cleanup;
}
- if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
+ if (check_valid_flag) {
+ if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
retval = KRB5KRB_AP_ERR_TKT_INVALID;
goto cleanup;
+ }
}
(*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number;
return retval;
}
+krb5_error_code
+krb5_rd_req_decoded(context, auth_context, req, server, keytab,
+ ap_req_options, ticket)
+ krb5_context context;
+ krb5_auth_context * auth_context;
+ const krb5_ap_req * req;
+ krb5_const_principal server;
+ krb5_keytab keytab;
+ krb5_flags * ap_req_options;
+ krb5_ticket ** ticket;
+{
+ krb5_error_code retval;
+ retval = krb5_rd_req_decoded_opt(context, auth_context,
+ req, server, keytab,
+ ap_req_options, ticket,
+ 1); /* check_valid_flag */
+ return retval;
+}
+
+krb5_error_code
+krb5_rd_req_decoded_anyflag(context, auth_context, req, server, keytab,
+ ap_req_options, ticket)
+ krb5_context context;
+ krb5_auth_context * auth_context;
+ const krb5_ap_req * req;
+ krb5_const_principal server;
+ krb5_keytab keytab;
+ krb5_flags * ap_req_options;
+ krb5_ticket ** ticket;
+{
+ krb5_error_code retval;
+ retval = krb5_rd_req_decoded_opt(context, auth_context,
+ req, server, keytab,
+ ap_req_options, ticket,
+ 0); /* don't check_valid_flag */
+ return retval;
+}
+
static krb5_error_code
decrypt_authenticator(context, request, authpp)
krb5_context context;
int i;
int found;
struct tm timebuf;
+ char *s;
found = 0;
memset(&timebuf, 0, sizeof(timebuf));
for (i=0; i<atime_format_table_nents; i++) {
- if (strptime(string, atime_format_table[i], &timebuf)) {
+ if ((s = strptime(string, atime_format_table[i], &timebuf))
+ && (s != string)) {
found = 1;
break;
}