From 4927815fb1ce8a41e0b1d3e6cd980b02b3fa7722 Mon Sep 17 00:00:00 2001 From: John Kohl Date: Wed, 13 Feb 1991 13:42:07 +0000 Subject: [PATCH] add TGS key caching git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1680 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/extern.c | 5 ++++ src/kdc/extern.h | 4 +++ src/kdc/kdc_util.c | 65 +++++++++++++++++++++++++--------------------- src/kdc/main.c | 45 ++++++++++++++++++++++++++++++++ 4 files changed, 90 insertions(+), 29 deletions(-) diff --git a/src/kdc/extern.c b/src/kdc/extern.c index 3df653724..1fc591e76 100644 --- a/src/kdc/extern.c +++ b/src/kdc/extern.c @@ -36,3 +36,8 @@ volatile int signal_requests_exit = 0; /* gets set when signal hits */ char *dbm_db_name = DEFAULT_DBM_FILE; +krb5_keyblock tgs_key; +krb5_kvno tgs_kvno; + +static krb5_data tgs_name = {sizeof(TGTNAME)-1, TGTNAME}; +krb5_data *tgs_server[4] = {0, &tgs_name, 0, 0}; diff --git a/src/kdc/extern.h b/src/kdc/extern.h index 7d1c0e57f..d85b66e68 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -30,4 +30,8 @@ extern krb5_principal master_princ; extern volatile int signal_requests_exit; extern char *dbm_db_name; +extern krb5_keyblock tgs_key; +extern krb5_kvno tgs_kvno; +extern krb5_data *tgs_server[4]; + #endif /* __KRB5_KDC_EXTERN__ */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 63e91e3b5..ada2d5406 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2,7 +2,7 @@ * $Source$ * $Author$ * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990,1991 by the Massachusetts Institute of Technology. * * For copying and distribution information, please see the file * . @@ -127,6 +127,7 @@ krb5_ticket **ticket; krb5_checksum our_cksum; krb5_data *scratch, scratch2; krb5_pa_data **tmppa; + krb5_boolean freeprinc = FALSE; if (!request->padata) return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; @@ -169,31 +170,35 @@ krb5_ticket **ticket; return KRB5KDC_ERR_POLICY; } - /* XXX perhaps we should optimize the case of the TGS, by having - the key always hanging around? */ - - nprincs = 1; - if (retval = krb5_db_get_principal(apreq->ticket->server, - &server, &nprincs, - &more)) { - cleanup_apreq(); - return(retval); - } - if (more) { - krb5_db_free_principal(&server, nprincs); - cleanup_apreq(); - return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); - } else if (nprincs != 1) { - krb5_db_free_principal(&server, nprincs); - cleanup_apreq(); - return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); - } - /* convert server.key into a real key (it may be encrypted - in the database) */ - if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server.key, &encrypting_key)) { - krb5_db_free_principal(&server, nprincs); - cleanup_apreq(); - return retval; + if (krb5_principal_compare(tgs_server, apreq->ticket->server)) { + encrypting_key = tgs_key; + server.kvno = tgs_kvno; + server.principal = tgs_server; + } else { + nprincs = 1; + if (retval = krb5_db_get_principal(apreq->ticket->server, + &server, &nprincs, + &more)) { + cleanup_apreq(); + return(retval); + } + if (more) { + krb5_db_free_principal(&server, nprincs); + cleanup_apreq(); + return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); + } else if (nprincs != 1) { + krb5_db_free_principal(&server, nprincs); + cleanup_apreq(); + return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); + } + /* convert server.key into a real key (it may be encrypted + in the database) */ + if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server.key, &encrypting_key)) { + krb5_db_free_principal(&server, nprincs); + cleanup_apreq(); + return retval; + } + freeprinc = TRUE; } who.dbentry = &server; who.key = &encrypting_key; @@ -204,9 +209,11 @@ krb5_ticket **ticket; (krb5_pointer)&who, 0, /* no replay cache */ &authdat); - krb5_db_free_principal(&server, nprincs); - memset((char *)encrypting_key.contents, 0, encrypting_key.length); - free((char *)encrypting_key.contents); + if (freeprinc) { + krb5_db_free_principal(&server, nprincs); + memset((char *)encrypting_key.contents, 0, encrypting_key.length); + free((char *)encrypting_key.contents); + } if (retval) { cleanup_apreq(); return(retval); diff --git a/src/kdc/main.c b/src/kdc/main.c index 512f65d65..6f49e17e4 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -237,6 +237,9 @@ krb5_principal masterkeyname; krb5_keyblock *masterkeyblock; { krb5_error_code retval; + int nprincs; + krb5_boolean more; + krb5_db_entry server; /* set db name if appropriate */ if (dbname && (retval = krb5_db_set_name(dbname))) @@ -259,6 +262,46 @@ krb5_keyblock *masterkeyblock; return(retval); } + /* fetch the TGS key, and hold onto it; this is an efficiency hack */ + + /* the master key name here is from the master_princ global, + so we can safely share its substructure */ + + tgs_server[0] = krb5_princ_realm(masterkeyname); + /* tgs_server[1] is init data */ + tgs_server[2] = krb5_princ_realm(masterkeyname); + /* tgs_server[3] is init data (0) */ + + nprincs = 1; + if (retval = krb5_db_get_principal(tgs_server, + &server, &nprincs, + &more)) { + return(retval); + } + if (more) { + krb5_db_free_principal(&server, nprincs); + (void) krb5_finish_key(&master_encblock); + memset((char *)&master_encblock, 0, sizeof(master_encblock)); + (void) krb5_db_fini(); + return(KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE); + } else if (nprincs != 1) { + krb5_db_free_principal(&server, nprincs); + (void) krb5_finish_key(&master_encblock); + memset((char *)&master_encblock, 0, sizeof(master_encblock)); + (void) krb5_db_fini(); + return(KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN); + } + /* convert server.key into a real key (it may be encrypted + in the database) */ + if (retval = KDB_CONVERT_KEY_OUTOF_DB(&server.key, &tgs_key)) { + krb5_db_free_principal(&server, nprincs); + (void) krb5_finish_key(&master_encblock); + memset((char *)&master_encblock, 0, sizeof(master_encblock)); + (void) krb5_db_fini(); + return retval; + } + tgs_kvno = server.kvno; + krb5_db_free_principal(&server, nprincs); return 0; } @@ -272,6 +315,8 @@ closedown_db() memset((char *)&master_encblock, 0, sizeof(master_encblock)); + memset((char *)tgs_key.contents, 0, tgs_key.length); + /* close database */ if (retval) { (void) krb5_db_fini(); -- 2.26.2