From 0d34b37b7abcdd2eba13d45df5feadf135e4602a Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 12 Jul 2010 18:53:54 +0000 Subject: [PATCH] Add check_transited_realms to the DAL table with a corresponding libkdb5 API, replacing the CHECK_TRANSITED_REALMS method of db_invoke. ticket: 6749 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24183 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb.h | 29 +++++++++++++++-------------- src/kdc/kdc_util.c | 29 ++++------------------------- src/lib/kdb/kdb5.c | 18 ++++++++++++++++++ src/lib/kdb/libkdb5.exports | 1 + src/plugins/kdb/db2/db2_exp.c | 2 +- src/plugins/kdb/ldap/ldap_exp.c | 1 + 6 files changed, 40 insertions(+), 40 deletions(-) diff --git a/src/include/kdb.h b/src/include/kdb.h index 3012b028f..cb9a32820 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -323,7 +323,6 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 /* db_invoke methods */ -#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS 0x00000020 #define KRB5_KDB_METHOD_CHECK_POLICY_AS 0x00000030 #define KRB5_KDB_METHOD_CHECK_POLICY_TGS 0x00000040 #define KRB5_KDB_METHOD_AUDIT_AS 0x00000050 @@ -331,13 +330,6 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070 #define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080 -typedef struct _kdb_check_transited_realms_req { - krb5_magic magic; - const krb5_data *tr_contents; - const krb5_data *client_realm; - const krb5_data *server_realm; -} kdb_check_transited_realms_req; - typedef struct _kdb_check_policy_as_req { krb5_magic magic; krb5_kdc_req *request; @@ -652,6 +644,11 @@ krb5_error_code krb5_db_sign_authdata(krb5_context kcontext, krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data); +krb5_error_code krb5_db_check_transited_realms(krb5_context kcontext, + const krb5_data *tr_contents, + const krb5_data *client_realm, + const krb5_data *server_realm); + krb5_error_code krb5_db_invoke ( krb5_context kcontext, unsigned int method, const krb5_data *req, @@ -1255,17 +1252,21 @@ typedef struct _kdb_vftabl { krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data); + /* + * Optional: Perform a policy check on a cross-realm ticket's transited + * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the + * check fails. + */ + krb5_error_code (*check_transited_realms)(krb5_context kcontext, + const krb5_data *tr_contents, + const krb5_data *client_realm, + const krb5_data *server_realm); + /* * Optional: Perform an operation on input data req with output stored in * rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the * method. Defined methods are: * - * - * KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS: req contains a - * kdb_check_transited_realms_req structure. Perform a policy check on - * a cross-realm ticket's transited field and return an error (other - * than KRB5_PLUGIN_OP_NOTSUPP) if the check fails. Leave rep alone. - * * KRB5_KDB_METHOD_CHECK_POLICY_AS: req contains a kdb_check_policy_as_req * structure. Perform a policy check on an AS request, in addition to * the standard policy checks. Return 0 if the AS request is allowed diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 7bc097ebf..db5434d52 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2267,37 +2267,16 @@ kdc_check_transited_list(krb5_context context, const krb5_data *realm2) { krb5_error_code code; - kdb_check_transited_realms_req req; - krb5_data req_data; - krb5_data rep_data; - /* First check using krb5.conf */ + /* Check using krb5.conf */ code = krb5_check_transited_list(kdc_context, trans, realm1, realm2); if (code) return code; - memset(&req, 0, sizeof(req)); - - req.tr_contents = trans; - req.client_realm = realm1; - req.server_realm = realm2; - - req_data.data = (void *)&req; - req_data.length = sizeof(req); - - rep_data.data = NULL; - rep_data.length = 0; - - code = krb5_db_invoke(context, - KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS, - &req_data, - &rep_data); - if (code == KRB5_PLUGIN_OP_NOTSUPP) { + /* Check against the KDB module. */ + code = krb5_db_check_transited_realms(context, trans, realm1, realm2); + if (code == KRB5_PLUGIN_OP_NOTSUPP) code = 0; - } - - assert(rep_data.length == 0); - return code; } diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 882e98cfc..0e12eb183 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -2246,6 +2246,24 @@ krb5_db_sign_authdata(krb5_context kcontext, unsigned int flags, signed_auth_data); } +krb5_error_code +krb5_db_check_transited_realms(krb5_context kcontext, + const krb5_data *tr_contents, + const krb5_data *client_realm, + const krb5_data *server_realm) +{ + krb5_error_code status; + kdb_vftabl *v; + + status = get_vftabl(kcontext, &v); + if (status) + return status; + if (v->check_transited_realms == NULL) + return KRB5_PLUGIN_OP_NOTSUPP; + return v->check_transited_realms(kcontext, tr_contents, client_realm, + server_realm); +} + krb5_error_code krb5_db_invoke(krb5_context kcontext, unsigned int method, diff --git a/src/lib/kdb/libkdb5.exports b/src/lib/kdb/libkdb5.exports index 4f0eca753..dcba09e93 100644 --- a/src/lib/kdb/libkdb5.exports +++ b/src/lib/kdb/libkdb5.exports @@ -3,6 +3,7 @@ krb5_db_open krb5_db_inited krb5_db_alloc krb5_db_free +krb5_db_check_transited_realms krb5_db_create krb5_db_delete_principal krb5_db_destroy diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 26e1fd93d..c2748861f 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -242,6 +242,6 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_db2, kdb_function_table) = { /* get_master_key_list */ wrap_krb5_db2_get_mkey_list, /* blah blah blah */ 0,0,0,0,0, /* promote_db */ wrap_krb5_db2_promote_db, - 0, 0, 0, + 0, 0, 0, 0, /* invoke */ wrap_krb5_db2_invoke }; diff --git a/src/plugins/kdb/ldap/ldap_exp.c b/src/plugins/kdb/ldap/ldap_exp.c index 9facefb90..3228aa06e 100644 --- a/src/plugins/kdb/ldap/ldap_exp.c +++ b/src/plugins/kdb/ldap/ldap_exp.c @@ -83,6 +83,7 @@ kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_ldap, kdb_function_table) = { /* decrypt_key_data */ NULL, /* encrypt_key_data */ NULL, /* sign_authdata */ NULL, + /* check_transited_realms */ NULL, /* invoke */ krb5_ldap_invoke, }; -- 2.26.2