From 57a21011ff605a03c3ae5d021c4a0c2ef8361b4c Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Sat, 10 May 2003 02:09:34 +0000
Subject: [PATCH] Add a new krb5_context field for the config-file
 tgs_enctypes, which applications cannot override, and use it for
 ticket-granting tickets needed to acquire some desired service ticket.

ticket: 1429
tags: pullup
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15411 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/include/ChangeLog         |  5 +++++
 src/include/k5-int.h          | 11 +++++++++++
 src/lib/krb5/krb/ChangeLog    | 12 ++++++++++++
 src/lib/krb5/krb/gc_frm_kdc.c | 37 ++++++++++++++++++-----------------
 src/lib/krb5/krb/init_ctx.c   | 31 ++++++++++++++++++++++++-----
 5 files changed, 73 insertions(+), 23 deletions(-)

diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index 327e3e397..00f359f4a 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,8 @@
+2003-05-09  Ken Raeburn  <raeburn@mit.edu>
+
+	* k5-int.h (struct _krb5_context): New fields conf_tgs_ktypes,
+	conf_tgs_ktypes_count, use_conf_ktypes.
+
 2003-05-09  Tom Yu  <tlyu@mit.edu>
 
 	* krb5.hin: Add krb5_auth_con_getsendsubkey,
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index ccbd16899..596784bef 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1017,6 +1017,17 @@ struct _krb5_context {
 	   absolute limit on the UDP packet size.  */
 	int		udp_pref_limit;
 
+	/* This is the tgs_ktypes list as read from the profile, or
+	   set to compiled-in defaults.  The application code cannot
+	   override it.  This is used for session keys for
+	   intermediate ticket-granting tickets used to acquire the
+	   requested ticket (the session key of which may be
+	   constrained by tgs_ktypes above).  */
+	krb5_enctype	*conf_tgs_ktypes;
+	int		conf_tgs_ktypes_count;
+	/* Use the _configured version?  */
+	krb5_boolean	use_conf_ktypes;
+
 #ifdef KRB5_DNS_LOOKUP
         krb5_boolean    profile_in_memory;
 #endif /* KRB5_DNS_LOOKUP */
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index d6663bfe8..46c4754d6 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,15 @@
+2003-05-09  Ken Raeburn  <raeburn@mit.edu>
+
+	* init_ctx.c (init_common): Copy tgs_ktypes array to
+	conf_tgs_ktypes.  Clear use_conf_ktypes.
+	(krb5_free_context): Free conf_tgs_ktypes.
+	(krb5_get_tgs_ktypes): Use use_conf_ktypes to choose between
+	tgs_ktypes and conf_tgs_ktypes.
+
+	* gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Set use_conf_ktypes
+	in context to 1 for all operations except the acquisition of the
+	desired service ticket.
+
 2003-05-09  Tom Yu  <tlyu@mit.edu>
 
 	* auth_con.c (krb5_auth_con_setsendsubkey) 
diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index b5c99428a..8ca62cce6 100644
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1994 by the Massachusetts Institute of Technology.
+ * Copyright (c) 1994,2003 by the Massachusetts Institute of Technology.
  * Copyright (c) 1994 CyberSAFE Corporation
  * Copyright (c) 1993 Open Computing Security Group
  * Copyright (c) 1990,1991 by the Massachusetts Institute of Technology.
@@ -76,6 +76,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
   krb5_principal  *top_server = NULL;
   krb5_principal  *next_server = NULL;
   unsigned int    nservers = 0;
+  krb5_boolean	  old_use_conf_ktypes = context->use_conf_ktypes;
 
   /* in case we never get a TGT, zero the return */
 
@@ -114,6 +115,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
       goto cleanup;
   }
 
+    context->use_conf_ktypes = 1;
   if ((retval = krb5_cc_retrieve_cred(context, ccache,
 				      KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES,
 				      &tgtq, &tgt))) {
@@ -231,21 +233,17 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
     
 	krb5_free_cred_contents(context, &tgtq);
 	memset(&tgtq, 0, sizeof(tgtq));
-#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
 	tgtq.times        = tgt.times;
-#else
-	memcpy(&tgtq.times, &tgt.times, sizeof(krb5_ticket_times));
-#endif
-
 	if ((retval = krb5_copy_principal(context, tgt.client, &tgtq.client)))
 	    goto cleanup;
 	if ((retval = krb5_copy_principal(context, int_server, &tgtq.server)))
 	    goto cleanup;
 	tgtq.is_skey      = FALSE;
 	tgtq.ticket_flags = tgt.ticket_flags;
-	if ((retval = krb5_get_cred_via_tkt(context, &tgt,
-					    FLAGS2OPTS(tgtq.ticket_flags),
-					    tgt.addresses, &tgtq, &tgtr))) {
+	retval = krb5_get_cred_via_tkt(context, &tgt,
+				       FLAGS2OPTS(tgtq.ticket_flags),
+				       tgt.addresses, &tgtq, &tgtr);
+	if (retval) {
 	      
        /*
 	* couldn't get one so now loop backwards through the realms
@@ -301,12 +299,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
 		  goto cleanup;
 	      tgtq.is_skey      = FALSE;
 	      tgtq.ticket_flags = tgt.ticket_flags;
-	      if ((retval = krb5_get_cred_via_tkt(context, &tgt,
-						  FLAGS2OPTS(tgtq.ticket_flags),
-						  tgt.addresses,
-						  &tgtq, &tgtr))) {
+	      retval = krb5_get_cred_via_tkt(context, &tgt,
+					     FLAGS2OPTS(tgtq.ticket_flags),
+					     tgt.addresses,
+					     &tgtq, &tgtr);
+	      if (retval)
 		  continue;
-	      }
 	      
 	      /* save tgt in return array */
 	      if ((retval = krb5_copy_creds(context, tgtr,
@@ -376,10 +374,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds
     goto cleanup;
   }
 
-  retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) |
-				 kdcopt | 
-  				 	(in_cred->second_ticket.length ? 
-				  	 KDC_OPT_ENC_TKT_IN_SKEY : 0),
+  context->use_conf_ktypes = old_use_conf_ktypes;
+  retval = krb5_get_cred_via_tkt(context, &tgt,
+				 FLAGS2OPTS(tgt.ticket_flags) |
+				 kdcopt |
+				 (in_cred->second_ticket.length ?
+				  KDC_OPT_ENC_TKT_IN_SKEY : 0),
 				 tgt.addresses, in_cred, out_cred);
 
   /* cleanup and return */
@@ -395,6 +395,7 @@ cleanup:
       if (ret_tgts)  free(ret_tgts);
       krb5_free_cred_contents(context, &tgt);
   }
+  context->use_conf_ktypes = old_use_conf_ktypes;
   return(retval);
 }
 
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index 426337bab..a37d8e0a7 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/init_ctx.c
  *
- * Copyright 1994,1999,2000, 2002  by the Massachusetts Institute of Technology.
+ * Copyright 1994,1999,2000, 2002, 2003  by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -147,6 +147,13 @@ init_common (krb5_context *context, krb5_boolean secure)
 	if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL)))
 		goto cleanup;
 
+	ctx->conf_tgs_ktypes = calloc(ctx->tgs_ktype_count, sizeof(krb5_enctype));
+	if (ctx->conf_tgs_ktypes == NULL && ctx->tgs_ktype_count != 0)
+	    goto cleanup;
+	memcpy(ctx->conf_tgs_ktypes, ctx->tgs_ktypes,
+	       sizeof(krb5_enctype) * ctx->tgs_ktype_count);
+	ctx->conf_tgs_ktypes_count = ctx->tgs_ktype_count;
+
 	if ((retval = krb5_os_init_context(ctx)))
 		goto cleanup;
 
@@ -222,6 +229,7 @@ init_common (krb5_context *context, krb5_boolean secure)
 	ctx->fcc_default_format = tmp + 0x0500;
 	ctx->scc_default_format = tmp + 0x0500;
 	ctx->prompt_types = 0;
+	ctx->use_conf_ktypes = 0;
 
 	ctx->udp_pref_limit = -1;
 	*context = ctx;
@@ -248,6 +256,11 @@ krb5_free_context(krb5_context ctx)
 	  ctx->tgs_ktypes = 0;
      }
 
+     if (ctx->conf_tgs_ktypes) {
+	 free(ctx->conf_tgs_ktypes);
+	 ctx->conf_tgs_ktypes = 0;
+     }
+
      if (ctx->default_realm) {
 	  free(ctx->default_realm);
 	  ctx->default_realm = 0;
@@ -296,7 +309,8 @@ krb5_set_default_in_tkt_ktypes(krb5_context context, const krb5_enctype *ktypes)
 }
 
 static krb5_error_code
-get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr, int ctx_count, krb5_enctype *ctx_list)
+get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr,
+		       int ctx_count, krb5_enctype *ctx_list)
 {
     krb5_enctype *old_ktypes;
 
@@ -431,9 +445,16 @@ krb5_error_code
 KRB5_CALLCONV
 krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes)
 {
-    return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
-				  context->tgs_ktype_count,
-				  context->tgs_ktypes));
+    if (context->use_conf_ktypes)
+	/* This one is set *only* by reading the config file; it's not
+	   set by the application.  */
+	return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+				      context->conf_tgs_ktypes_count,
+				      context->conf_tgs_ktypes));
+    else
+	return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes",
+				      context->tgs_ktype_count,
+				      context->tgs_ktypes));
 }
 
 krb5_error_code
-- 
2.26.2