Don't use accessor in encrypted challenge
authorGreg Hudson <ghudson@mit.edu>
Sat, 24 Sep 2011 12:19:14 +0000 (12:19 +0000)
committerGreg Hudson <ghudson@mit.edu>
Sat, 24 Sep 2011 12:19:14 +0000 (12:19 +0000)
Now that the encrypted challenge code is linked into libkrb5 and the
KDC, it's unnecessary to use the accessor there.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25229 dc483132-0cff-0310-8789-dd5450dbe970

src/include/k5-int.h
src/kdc/kdc_preauth_ec.c
src/lib/krb5/krb/preauth_ec.c
src/lib/krb5/os/accessor.c

index 075cec8c716bb5a290006d4f5c1d61129f973ad7..0bb4c164d0fcdb713b7233340ca932c6c67b9d12 100644 (file)
@@ -2127,7 +2127,7 @@ void krb5int_free_srv_dns_data(struct srv_dns_entry *);
 /* To keep happy libraries which are (for now) accessing internal stuff */
 
 /* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 17
+#define KRB5INT_ACCESS_STRUCT_VERSION 18
 
 #ifndef ANAME_SZ
 struct ktext;                   /* from krb.h, for krb524 support */
@@ -2163,17 +2163,6 @@ typedef struct _krb5int_access {
     (*asn1_ldap_decode_sequence_of_keys)(krb5_data *in,
                                          ldap_seqof_key_data **);
 
-    /* Used for encrypted challenge fast factor*/
-    krb5_error_code (*encode_enc_data)(const krb5_enc_data *, krb5_data **);
-    krb5_error_code (*decode_enc_data)(const krb5_data *, krb5_enc_data **);
-    void (KRB5_CALLCONV *free_enc_data)(krb5_context, krb5_enc_data *);
-    krb5_error_code (*encode_enc_ts)(const krb5_pa_enc_ts *, krb5_data **);
-    krb5_error_code (*decode_enc_ts)(const krb5_data *, krb5_pa_enc_ts **);
-    void (KRB5_CALLCONV *free_enc_ts)(krb5_context, krb5_pa_enc_ts *);
-    krb5_error_code
-    (*encrypt_helper)(krb5_context, const krb5_keyblock *, krb5_keyusage,
-                      const krb5_data *, krb5_enc_data *);
-
     /*
      * pkinit asn.1 encode/decode functions
      */
index 3419c831aec5949ad99ffe07bc9e2daad3a06dd5..02446ad3be6be47ca1d9038c00d69ba02d2d81db 100644 (file)
@@ -68,7 +68,6 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
     krb5_data scratch, plain;
     krb5_keyblock *armor_key = NULL;
     krb5_pa_enc_ts *ts = NULL;
-    krb5int_access kaccess;
     krb5_keyblock *client_keys = NULL;
     krb5_data *client_data = NULL;
     krb5_keyblock *challenge_key = NULL;
@@ -76,8 +75,6 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
     int i = 0;
 
     plain.data = NULL;
-    if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0)
-        return 0;
 
     retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key);
     if (retval == 0 &&armor_key == NULL) {
@@ -87,7 +84,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
     scratch.data = (char *) data->contents;
     scratch.length = data->length;
     if (retval == 0)
-        retval = kaccess.decode_enc_data(&scratch, &enc);
+        retval = decode_krb5_enc_data(&scratch, &enc);
     if (retval == 0) {
         plain.data =  malloc(enc->ciphertext.length);
         plain.length = enc->ciphertext.length;
@@ -129,7 +126,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
 
     }
     if (retval == 0)
-        retval = kaccess.decode_enc_ts(&plain, &ts);
+        retval = decode_krb5_pa_enc_ts(&plain, &ts);
     if (retval == 0)
         retval = krb5_timeofday(context, &now);
     if (retval == 0) {
@@ -159,9 +156,9 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
     if (plain.data)
         free(plain.data);
     if (enc)
-        kaccess.free_enc_data(context, enc);
+        krb5_free_enc_data(context, enc);
     if (ts)
-        kaccess.free_enc_ts(context, ts);
+        krb5_free_pa_enc_ts(context, ts);
     return retval;
 }
 
@@ -182,23 +179,20 @@ kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
     krb5_enc_data enc;
     krb5_data *encoded = NULL;
     krb5_pa_data *pa = NULL;
-    krb5int_access kaccess;
 
-    if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0)
-        return 0;
     if (challenge_key == NULL)
         return 0;
     enc.ciphertext.data = NULL; /* In case of error pass through */
 
     retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec);
     if (retval == 0)
-        retval = kaccess.encode_enc_ts(&ts, &plain);
+        retval = encode_krb5_pa_enc_ts(&ts, &plain);
     if (retval == 0)
-        retval = kaccess.encrypt_helper(context, challenge_key,
-                                        KRB5_KEYUSAGE_ENC_CHALLENGE_KDC,
-                                        plain, &enc);
+        retval = krb5_encrypt_helper(context, challenge_key,
+                                     KRB5_KEYUSAGE_ENC_CHALLENGE_KDC,
+                                     plain, &enc);
     if (retval == 0)
-        retval = kaccess.encode_enc_data(&enc, &encoded);
+        retval = encode_krb5_enc_data(&enc, &encoded);
     if (retval == 0) {
         pa = calloc(1, sizeof(krb5_pa_data));
         if (pa == NULL)
index e56807a3a3981e68c64594cc1092e472f45340a5..94c9284619c7389a6a49ad0aa0202ec88662da29 100644 (file)
@@ -56,10 +56,7 @@ process_preauth(krb5_context context, krb5_clpreauth_moddata moddata,
     krb5_enctype enctype = 0;
     krb5_keyblock *challenge_key = NULL, *armor_key = NULL;
     krb5_data *etype_data = NULL;
-    krb5int_access kaccess;
 
-    if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0)
-        return 0;
     retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key);
     if (retval || armor_key == NULL)
         return 0;
@@ -82,7 +79,7 @@ process_preauth(krb5_context context, krb5_clpreauth_moddata moddata,
                                       as_key, "challengelongterm",
                                       &challenge_key);
         if (retval == 0)
-            retval =kaccess.decode_enc_data(&scratch, &enc);
+            retval = decode_krb5_enc_data(&scratch, &enc);
         scratch.data = NULL;
         if (retval == 0) {
             scratch.data = malloc(enc->ciphertext.length);
@@ -104,7 +101,7 @@ process_preauth(krb5_context context, krb5_clpreauth_moddata moddata,
         if (retval == 0)
             fast_set_kdc_verified(context, get_data_proc, rock);
         if (enc)
-            kaccess.free_enc_data(context, enc);
+            krb5_free_enc_data(context, enc);
     } else if (retval == 0) { /*No padata; we send*/
         krb5_enc_data enc;
         krb5_pa_data *pa = NULL;
@@ -114,21 +111,21 @@ process_preauth(krb5_context context, krb5_clpreauth_moddata moddata,
         enc.ciphertext.data = NULL;
         retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec);
         if (retval == 0)
-            retval = kaccess.encode_enc_ts(&ts, &encoded_ts);
+            retval = encode_krb5_pa_enc_ts(&ts, &encoded_ts);
         if (retval == 0)
             retval = krb5_c_fx_cf2_simple(context,
                                           armor_key, "clientchallengearmor",
                                           as_key, "challengelongterm",
                                           &challenge_key);
         if (retval == 0)
-            retval = kaccess.encrypt_helper(context, challenge_key,
-                                            KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT,
-                                            encoded_ts, &enc);
+            retval = krb5_encrypt_helper(context, challenge_key,
+                                         KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT,
+                                         encoded_ts, &enc);
         if (encoded_ts)
             krb5_free_data(context, encoded_ts);
         encoded_ts = NULL;
         if (retval == 0) {
-            retval = kaccess.encode_enc_data(&enc, &encoded_ts);
+            retval = encode_krb5_enc_data(&enc, &encoded_ts);
             krb5_free_data_contents(context, &enc.ciphertext);
         }
         if (retval == 0) {
index 532cd38d0110d69000483cef52b43d3924d97619..5914e2b3fb777ea08def36ac03ad36bc4b43cbf1 100644 (file)
@@ -113,13 +113,6 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version)
 
             S (encode_krb5_sam_response_2, encode_krb5_sam_response_2),
             S (encode_krb5_enc_sam_response_enc_2, encode_krb5_enc_sam_response_enc_2),
-            S (encode_enc_ts, encode_krb5_pa_enc_ts),
-            S (decode_enc_ts, decode_krb5_pa_enc_ts),
-            S (encode_enc_data, encode_krb5_enc_data),
-            S(decode_enc_data, decode_krb5_enc_data),
-            S(free_enc_ts, krb5_free_pa_enc_ts),
-            S(free_enc_data, krb5_free_enc_data),
-            S(encrypt_helper, krb5_encrypt_helper),
 
 #if DESIGNATED_INITIALIZERS
         };