From: Chris Provenzano Date: Thu, 2 Feb 1995 03:42:29 +0000 (+0000) Subject: * int-proto.h Update prototypes for krb5_get_cred_via_tgt(), and X-Git-Tag: krb5-1.0-beta5~780 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=21f2356f938fc755cdb6447829dd8f072073e97a;p=krb5.git * int-proto.h Update prototypes for krb5_get_cred_via_tgt(), and krb5_get_cred_via_2tgt(). * get_fcreds.c (krb5_get_for_creds()) * gc_via_tgt.c (krb5_get_cred_via_tgt()) * gc_2tgt.c (krb5_get_cred_via_2tgt()) Removed krb5_enctype argument. Pass NULL list of encryption types to krb5_send_tgs to get default encryption types. * gc_frm_kdc.c Removed krb5_enctype argument passed to krb5_get_cred_via_tgt() * send_tgs.c (krb5_send_tgs()) Changed krb5_enctype arg to krb5_enctype *, a NULL terminated array of encryption types. If argument is NULL then krb5_send_tgs() will use defaul list of encryption types. * send_tgs.c (krb5_send_tgs()) To encrypt request ticket use usecred->keyblock.etype instead of (and now defunct) krb5_enctype arg. * init_ctx.c Added krb5_set_default_in_tkt_etypes() and krb5_get_default_in_tkt_etypes(). * rd_req.c, rd_req_decode.c Removed typedef for rdreq_key_proc and use krb5_rd_req_decoded in its place. * get_fcreds.c Really needs #include for definition of krb5_is_krb_error() git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4875 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 1eff8d70f..c389925da 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,37 @@ +Mon Jan 30 15:46:14 1995 Chris Provenzano (proven@mit.edu) + + * int-proto.h Update prototypes for krb5_get_cred_via_tgt(), and + krb5_get_cred_via_2tgt(). + + * get_fcreds.c (krb5_get_for_creds()) + * gc_via_tgt.c (krb5_get_cred_via_tgt()) + * gc_2tgt.c (krb5_get_cred_via_2tgt()) + Removed krb5_enctype argument. Pass NULL list of encryption + types to krb5_send_tgs to get default encryption types. + + * gc_frm_kdc.c Removed krb5_enctype argument passed to + krb5_get_cred_via_tgt() + + * send_tgs.c (krb5_send_tgs()) Changed krb5_enctype arg to + krb5_enctype *, a NULL terminated array of encryption + types. If argument is NULL then krb5_send_tgs() will + use defaul list of encryption types. + + * send_tgs.c (krb5_send_tgs()) To encrypt request ticket use + usecred->keyblock.etype instead of (and now defunct) + krb5_enctype arg. + + * init_ctx.c Added krb5_set_default_in_tkt_etypes() and + krb5_get_default_in_tkt_etypes(). + + * rd_req.c, rd_req_decode.c Removed typedef for rdreq_key_proc + and use krb5_rd_req_decoded in its place. + +Mon Jan 30 11:26:05 1995 Chris Provenzano (proven@mit.edu) + + * get_fcreds.c Really needs #include for definition + of krb5_is_krb_error() + Sat Jan 28 14:45:55 1995 Chris Provenzano (proven@mit.edu) * in_tkt_sky.c (skey_keyproc()), rd_req_dec.c (krb5_rd_req_decoded()) diff --git a/src/lib/krb5/krb/gc_2tgt.c b/src/lib/krb5/krb/gc_2tgt.c index 5b2c0e304..8cf6be0e9 100644 --- a/src/lib/krb5/krb/gc_2tgt.c +++ b/src/lib/krb5/krb/gc_2tgt.c @@ -32,11 +32,10 @@ #include "int-proto.h" krb5_error_code -krb5_get_cred_via_2tgt (context, tgt, kdcoptions, etype, sumtype, cred) +krb5_get_cred_via_2tgt (context, tgt, kdcoptions, sumtype, cred) krb5_context context; krb5_creds *tgt; const krb5_flags kdcoptions; - const krb5_enctype etype; const krb5_cksumtype sumtype; register krb5_creds * cred; { @@ -48,6 +47,7 @@ krb5_get_cred_via_2tgt (context, tgt, kdcoptions, etype, sumtype, cred) krb5_kdc_rep *dec_rep; krb5_error *err_reply; krb5_response tgsrep; + krb5_enctype etype; /* tgt->client must be equal to cred->client */ /* tgt->server must be equal to krbtgt/realmof(cred->client) */ @@ -75,7 +75,8 @@ krb5_get_cred_via_2tgt (context, tgt, kdcoptions, etype, sumtype, cred) if (!(kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY)) return KRB5_INVALID_FLAGS; - if (retval = krb5_send_tgs(context, kdcoptions, &cred->times, etype, sumtype, + if (retval = krb5_send_tgs(context, kdcoptions, &cred->times, NULL, + sumtype, cred->server, tgt->addresses, cred->authdata, @@ -101,6 +102,7 @@ krb5_get_cred_via_2tgt (context, tgt, kdcoptions, etype, sumtype, cred) free(tgsrep.response.data); return retval; } + etype = tgt->keyblock.etype; retval = krb5_decode_kdc_rep(context, &tgsrep.response, &tgt->keyblock, etype, &dec_rep); free(tgsrep.response.data); diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index e18fcfdc3..5b3a90970 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -251,7 +251,6 @@ krb5_error_code krb5_get_cred_from_kdc(context, ccache, cred, tgts) etype = TGT_ETYPE; if(retval = krb5_get_cred_via_tgt(context, &tgt, FLAGS2OPTS(tgtq.ticket_flags), - etype, krb5_kdc_req_sumtype, &tgtq)) { @@ -309,7 +308,6 @@ krb5_error_code krb5_get_cred_from_kdc(context, ccache, cred, tgts) etype = TGT_ETYPE; if (retval = krb5_get_cred_via_tgt(context, &tgt, FLAGS2OPTS(tgtq.ticket_flags), - etype, krb5_kdc_req_sumtype, &tgtq)) { continue; @@ -388,7 +386,6 @@ krb5_error_code krb5_get_cred_from_kdc(context, ccache, cred, tgts) else { retval = krb5_get_cred_via_tgt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags), - etype, krb5_kdc_req_sumtype, cred); } diff --git a/src/lib/krb5/krb/gc_via_tgt.c b/src/lib/krb5/krb/gc_via_tgt.c index 6aa3a11b8..026cf30e0 100644 --- a/src/lib/krb5/krb/gc_via_tgt.c +++ b/src/lib/krb5/krb/gc_via_tgt.c @@ -34,17 +34,17 @@ #include "int-proto.h" krb5_error_code -krb5_get_cred_via_tgt (context, tgt, kdcoptions, etype, sumtype, cred) +krb5_get_cred_via_tgt (context, tgt, kdcoptions, sumtype, cred) krb5_context context; krb5_creds * tgt; const krb5_flags kdcoptions; - const krb5_enctype etype; const krb5_cksumtype sumtype; krb5_creds * cred; { krb5_error_code retval; krb5_principal tempprinc; krb5_data *scratch; + krb5_enctype etype; krb5_kdc_rep *dec_rep; krb5_error *err_reply; krb5_response tgsrep; @@ -72,7 +72,8 @@ krb5_get_cred_via_tgt (context, tgt, kdcoptions, etype, sumtype, cred) krb5_free_principal(context, tempprinc); - if (retval = krb5_send_tgs(context, kdcoptions, &cred->times, etype, sumtype, + if (retval = krb5_send_tgs(context, kdcoptions, &cred->times, NULL, + sumtype, cred->server, tgt->addresses, cred->authdata, @@ -113,6 +114,8 @@ krb5_get_cred_via_tgt (context, tgt, kdcoptions, etype, sumtype, cred) cleanup(); return retval; } + + etype = tgt->keyblock.etype; retval = krb5_decode_kdc_rep(context, &tgsrep.response, &tgt->keyblock, etype, /* enctype */ diff --git a/src/lib/krb5/krb/get_fcreds.c b/src/lib/krb5/krb/get_fcreds.c index 7b771965b..a7cfda724 100644 --- a/src/lib/krb5/krb/get_fcreds.c +++ b/src/lib/krb5/krb/get_fcreds.c @@ -35,6 +35,7 @@ #include #include +#include #include #include @@ -44,17 +45,18 @@ /* Get a TGT for use at the remote host */ krb5_error_code -krb5_get_for_creds(context, etype, sumtype, rhost, client, enc_key, forwardable, outbuf) +krb5_get_for_creds(context, sumtype, rhost, client, enc_key, + forwardable, outbuf) krb5_context context; - const krb5_enctype etype; - const krb5_cksumtype sumtype; - char *rhost; - krb5_principal client; - krb5_keyblock *enc_key; - int forwardable; /* Should forwarded TGT also be forwardable? */ - krb5_data *outbuf; + const krb5_cksumtype sumtype; + char *rhost; + krb5_principal client; + krb5_keyblock *enc_key; + int forwardable; /* Should forwarded TGT also be forwardable? */ + krb5_data *outbuf; { struct hostent *hp; + krb5_enctype etype; krb5_address **addrs; krb5_error_code retval; krb5_data *scratch; @@ -165,7 +167,8 @@ krb5_get_for_creds(context, etype, sumtype, rhost, client, enc_key, forwardable, if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */ kdcoptions &= ~(KDC_OPT_FORWARDABLE); - if (retval = krb5_send_tgs(context, kdcoptions, &creds.times, etype, sumtype, + if (retval = krb5_send_tgs(context, kdcoptions, &creds.times, NULL, + sumtype, tgt.server, addrs, creds.authdata, @@ -193,6 +196,7 @@ krb5_get_for_creds(context, etype, sumtype, rhost, client, enc_key, forwardable, goto errout; } + etype = tgt.keyblock.etype; if (retval = krb5_decode_kdc_rep(context, &tgsrep.response, &tgt.keyblock, etype, /* enctype */ diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 1d7758116..e3debf0d3 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -42,8 +42,11 @@ krb5_init_context(context) memset(ctx, 0, sizeof(struct _krb5_context)); ctx->magic = KV5M_CONTEXT; - retval = krb5_os_init_context(ctx); - if (retval) + /* Set the default encryption types, possible defined in krb5/conf */ + if (krb5_set_default_in_tkt_etypes(ctx, NULL)) + goto cleanup; + + if (krb5_os_init_context(ctx)) goto cleanup; *context = ctx; @@ -58,7 +61,75 @@ void krb5_free_context(ctx) krb5_context ctx; { - krb5_os_free_context(ctx); - ctx->magic = 0; - free(ctx); + krb5_os_free_context(ctx); + + if (ctx->etypes); + free(ctx->etypes); + + ctx->magic = 0; + free(ctx); +} + +/* + * Set the desired default etypes, making sure they are valid. + */ +krb5_error_code +krb5_set_default_in_tkt_etypes(context, etypes) + krb5_context context; + const krb5_enctype *etypes; +{ + krb5_enctype * new_etypes; + int i; + + if (etypes) { + for (i = 0; etypes[i]; i++) { + if (!valid_etype(etypes[i])) + return KRB5_PROG_ETYPE_NOSUPP; + } + + /* Now copy the default etypes into the context pointer */ + if (new_etypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * i)) + memcpy(new_etypes, etypes, sizeof(krb5_enctype) * i); + else + return ENOMEM; + + } else { + i = 2; + + /* Should reset the list to the runtime defaults */ + if (new_etypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * i)) { + new_etypes[0] = ETYPE_DES_CBC_MD5; + new_etypes[1] = ETYPE_DES_CBC_CRC; + } else { + return ENOMEM; + } + } + + if (context->etypes) + free(context->etypes); + context->etypes = new_etypes; + context->etype_count = i; + return 0; +} + +krb5_error_code +krb5_get_default_in_tkt_etypes(context, etypes) + krb5_context context; + krb5_enctype **etypes; +{ + krb5_enctype * old_etypes; + int i; + + if (old_etypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * + (context->etype_count + 1))) { + memcpy(old_etypes, context->etypes, sizeof(krb5_enctype) * + context->etype_count); + old_etypes[context->etype_count] = NULL; + } else { + return ENOMEM; + } + + *etypes = old_etypes; + return 0; + } diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index 84fd4ccf2..fcf739acb 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -29,17 +29,22 @@ #define KRB5_INT_FUNC_PROTO__ krb5_error_code krb5_tgtname - PROTOTYPE((krb5_context context, - const krb5_data *, - const krb5_data *, - krb5_principal *)); + PROTOTYPE((krb5_context context, + const krb5_data *, + const krb5_data *, + krb5_principal *)); krb5_error_code krb5_get_cred_via_tgt - PROTOTYPE((krb5_context context, - krb5_creds *, - const krb5_flags, - const krb5_enctype, - const krb5_cksumtype, - krb5_creds * )); + PROTOTYPE((krb5_context context, + krb5_creds *, + const krb5_flags, + const krb5_cksumtype, + krb5_creds * )); +krb5_error_code krb5_get_cred_via_tgt + PROTOTYPE((krb5_context context, + krb5_creds *, + const krb5_flags, + const krb5_cksumtype, + krb5_creds * )); #endif /* KRB5_INT_FUNC_PROTO__ */ diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index 6b2d08518..058a0a473 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -54,11 +54,6 @@ * returns system errors, encryption errors, replay errors */ -typedef krb5_error_code (*rdreq_key_proc) PROTOTYPE((krb5_pointer, - krb5_principal, - krb5_kvno, - krb5_keyblock **)); - krb5_error_code krb5_rd_req(context, inbuf, server, sender_addr, fetchfrom, keyproc, keyprocarg, rcache, authdat) diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 93b729aea..21aee0956 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -64,9 +64,6 @@ static krb5_error_code decrypt_authenticator PROTOTYPE((krb5_context, const krb5_ap_req *, krb5_authenticator **)); -typedef krb5_error_code (*rdreq_key_proc) - PROTOTYPE((krb5_context, krb5_pointer, krb5_principal, - krb5_kvno, krb5_keyblock **)); extern krb5_deltat krb5_clockskew; #define in_clock_skew(date) (abs((date)-currenttime) < krb5_clockskew) @@ -79,11 +76,12 @@ krb5_rd_req_decoded(context, req, server, sender_addr, fetchfrom, keyproc, krb5_const_principal server; const krb5_address *sender_addr; const char * fetchfrom; - rdreq_key_proc keyproc; + krb5_rdreq_key_proc keyproc; krb5_pointer keyprocarg; krb5_rcache rcache; krb5_tkt_authent **authdat; { + krb5_keytype keytype; krb5_error_code retval = 0; krb5_keyblock *tkt_key = NULL; krb5_timestamp currenttime, starttime; @@ -95,10 +93,16 @@ krb5_rd_req_decoded(context, req, server, sender_addr, fetchfrom, keyproc, /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) do we need special processing here ? */ + /* + * OK we know the encryption type req->ticket->enc_part.etype, + * and now we need to get the keytype + */ + keytype = krb5_csarray[req->ticket->enc_part.etype]->system->proto_keytype; + /* fetch a server key */ if (keyproc) { retval = (*keyproc)(context, keyprocarg, req->ticket->server, - req->ticket->enc_part.kvno, &tkt_key); + req->ticket->enc_part.kvno, keytype, &tkt_key); } else { krb5_keytab keytabid; krb5_keytab_entry ktentry; @@ -111,13 +115,6 @@ krb5_rd_req_decoded(context, req, server, sender_addr, fetchfrom, keyproc, retval = krb5_kt_default(context, &keytabid); } if (!retval) { - /* - * OK we know the encryption type req->ticket->enc_part.etype, - * and now we need to get the keytype - */ - krb5_keytype keytype = krb5_csarray[req->ticket->enc_part.etype]-> - system->proto_keytype; - retval = krb5_kt_get_entry(context, keytabid, req->ticket->server, req->ticket->enc_part.kvno, keytype, &ktentry); diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index bc15f6659..27fde8f00 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -49,12 +49,12 @@ returns system errors */ krb5_error_code -krb5_send_tgs(context, kdcoptions, timestruct, etype, sumtype, sname, addrs, +krb5_send_tgs(context, kdcoptions, timestruct, etypes, sumtype, sname, addrs, authorization_data, padata, second_ticket, usecred, rep) krb5_context context; const krb5_flags kdcoptions; const krb5_ticket_times * timestruct; - const krb5_enctype etype; + const krb5_enctype * etypes; const krb5_cksumtype sumtype; krb5_const_principal sname; krb5_address * const * addrs; @@ -70,16 +70,25 @@ krb5_send_tgs(context, kdcoptions, timestruct, etype, sumtype, sname, addrs, krb5_data *scratch, scratch2; krb5_ticket *sec_ticket = 0; krb5_ticket *sec_ticket_arr[2]; - krb5_enctype etypes[1]; krb5_timestamp time_now; krb5_pa_data **combined_padata; krb5_pa_data ap_req_padata; - if (!valid_etype(etype)) - return KRB5_PROG_ETYPE_NOSUPP; - memset((char *)&tgsreq, 0, sizeof(tgsreq)); + if (etypes) { + /* Check passed etypes and make sure they're valid. */ + for (tgsreq.netypes = 0; etypes[tgsreq.netypes]; tgsreq.netypes++) { + if (!valid_etype(etypes[tgsreq.netypes])) + return KRB5_PROG_ETYPE_NOSUPP; + } + tgsreq.etype = (krb5_enctype *)etypes; + } else { + /* Get the default etypes */ + krb5_get_default_in_tkt_etypes(context, &(tgsreq.etype)); + for(tgsreq.netypes = 0; tgsreq.etype[tgsreq.netypes]; tgsreq.netypes++); + } + tgsreq.kdc_options = kdcoptions; tgsreq.server = (krb5_principal) sname; @@ -91,10 +100,6 @@ krb5_send_tgs(context, kdcoptions, timestruct, etype, sumtype, sname, addrs, /* XXX we know they are the same size... */ tgsreq.nonce = (krb5_int32) time_now; - etypes[0] = etype; - tgsreq.etype = etypes; - tgsreq.netypes = 1; - tgsreq.addresses = (krb5_address **) addrs; if (authorization_data) { @@ -104,8 +109,8 @@ krb5_send_tgs(context, kdcoptions, timestruct, etype, sumtype, sname, addrs, if (retval = encode_krb5_authdata(authorization_data, &scratch)) return(retval); - krb5_use_cstype(context, &eblock, etype); - tgsreq.authorization_data.etype = etype; + krb5_use_cstype(context, &eblock, usecred->keyblock.etype); + tgsreq.authorization_data.etype = usecred->keyblock.etype; tgsreq.authorization_data.kvno = 0; /* ticket session key has */ /* no version */ tgsreq.authorization_data.ciphertext.length =