diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-12-09 17:54:07 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-12-09 17:54:07 +0000 |
| commit | d9b2d59a6d29e8dc6dffd16a7d3eb2e4b7a0e213 (patch) | |
| tree | d14f61b348f28b97aa2da39b7c5c8d5130f92ef4 | |
| parent | 767e1bbcdcb7410dda490213e59effe586d614a4 (diff) | |
| download | krb5-fast-negotiate.tar.gz | |
Fix some formatting issuesfast-negotiate
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/fast-negotiate@23461 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/clients/kinit/kinit.c | 4 | ||||
| -rw-r--r-- | src/include/k5-int.h | 3 | ||||
| -rw-r--r-- | src/include/krb5/krb5.hin | 43 | ||||
| -rw-r--r-- | src/kdc/do_as_req.c | 3 | ||||
| -rw-r--r-- | src/kdc/do_tgs_req.c | 34 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth.c | 17 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 12 | ||||
| -rw-r--r-- | src/lib/crypto/krb/make_checksum.c | 5 | ||||
| -rw-r--r-- | src/lib/krb5/asn.1/krb5_decode.c | 3 | ||||
| -rw-r--r-- | src/lib/krb5/krb/fast.c | 50 | ||||
| -rw-r--r-- | src/lib/krb5/krb/fast.h | 25 | ||||
| -rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 100 | ||||
| -rw-r--r-- | src/lib/krb5/krb/gic_opt.c | 15 |
13 files changed, 168 insertions, 146 deletions
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index 95e70ed14..fdfae8828 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -682,8 +682,8 @@ k5_kinit(opts, k5) } if ((opts->action != INIT_PW) && (opts->action != INIT_KT)) { - code = krb5_cc_initialize(k5->ctx, k5->cc, - opts->canonicalize ? my_creds.client : k5->me); + code = krb5_cc_initialize(k5->ctx, k5->cc, opts->canonicalize ? + my_creds.client : k5->me); if (code) { com_err(progname, code, "when initializing cache %s", opts->k5_cache_name?opts->k5_cache_name:""); diff --git a/src/include/k5-int.h b/src/include/k5-int.h index f17899170..45f7ccef4 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -257,8 +257,7 @@ typedef INT64_TYPE krb5_int64; #define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert" #define KRB5_CONF_V4_REALM "v4_realm" #define KRB5_CONF_ASTERISK "*" -#define KRB5_CCCONF_FAST_AVAIL "fast_avail" - +#define KRB5_CONF_FAST_AVAIL "fast_avail" /* Error codes used in KRB_ERROR protocol messages. Return values of library routines are based on a different error table diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 94d054e4c..9e5c3853f 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -930,7 +930,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, #define TKT_FLG_TRANSIT_POLICY_CHECKED 0x00080000 #define TKT_FLG_OK_AS_DELEGATE 0x00040000 #define TKT_FLG_ANONYMOUS 0x00020000 -#define TKT_FLG_ENC_PA_REP 0x10000 +#define TKT_FLG_ENC_PA_REP 0x00010000 /* #define TKT_FLG_RESERVED 0x00008000 */ /* #define TKT_FLG_RESERVED 0x00004000 */ /* #define TKT_FLG_RESERVED 0x00002000 */ @@ -1035,7 +1035,6 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, #define KRB5_PADATA_ENCRYPTED_CHALLENGE 138 #define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 - #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 #define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /* currently must be zero */ @@ -2271,35 +2270,43 @@ krb5_get_init_creds_opt_set_pa(krb5_context context, krb5_get_init_creds_opt *opt, const char *attr, const char *value); +/** + * This API sets a ccache name that will contain some TGT on calls to + * t_init_creds functions. If set, this ccache will be used for FAST + * (draft-ietf-krb-wg-preauth-framework) to protect the AS-REQ from observation + * and active attack. If the fast_ccache_name is set, then FAST may be + * required by the client library. In this and future versions, FAST will be + * used if available; krb5_get_init_creds_opt_set_fast_flags() may be used to + * require that the request fail is FAST is unavailable. In MIT Kerberos 1.7 + * setting the fast ccache at all required that FAST be present or the request + * would fail. + */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, -/**This API sets a ccache name that will contain some TGT on calls to - get_init_creds functions. If set, this ccache will be used for FAST - (draft-ietf-krb-wg-preauth-framework) to protect the AS-REQ from - observation and active attack. If the fast_ccache_name is set, then FAST - may be required by the client library. In this and future versions, FAST - will be used if available; krb5_get_init_creds_opt_set_fast_flags() may be - used to require that the request fail is FAST is unavailable. In MIT - Kerberos 1.7 setting the fast ccache at all required that FAST be present - or the request would fail.*/ krb5_get_init_creds_opt *opt, const char *fast_ccache_name); -/**Set a ccache where resulting credentials will be stored. If set, then the +/** + * Set a ccache where resulting credentials will be stored. If set, then the * krb5_get_init_creds family of APIs will write out credentials to the given * ccache. Setting an output ccache is desirable both because it simplifies * calling code and because it permits the krb5_get_init_creds APIs to write * out configuration information about the realm to the ccache. */ krb5_error_code KRB5_CALLCONV -krb5_get_init_creds_opt_set_out_ccache -(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache); +krb5_get_init_creds_opt_set_out_ccache(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_ccache ccache); + krb5_error_code KRB5_CALLCONV -krb5_get_init_creds_opt_set_fast_flags -(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags); +krb5_get_init_creds_opt_set_fast_flags(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_flags flags); + krb5_error_code KRB5_CALLCONV -krb5_get_init_creds_opt_get_fast_flags -(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags); +krb5_get_init_creds_opt_get_fast_flags(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_flags *out_flags); /* Fast flags*/ #define KRB5_FAST_REQUIRED 1l<<0 /*!< Require KDC to support FAST*/ diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 4951d2973..23f1ddcb8 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -603,8 +603,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } errcode = return_enc_padata(kdc_context, req_pkt, request, - as_encrypting_key, - &server, &reply_encpart); + as_encrypting_key, &server, &reply_encpart); if (errcode) { status = "KDC_RETURN_ENC_PADATA"; goto errout; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index ce0ff39f5..75d413250 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -948,28 +948,28 @@ tgt_again: goto cleanup; } if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) { + int idx = 0; + errcode = return_enc_padata(kdc_context, pkt, request, - reply_key, - &server, &reply_encpart); + reply_key, &server, &reply_encpart); if (errcode) { status = "KDC_RETURN_ENC_PADATA"; goto cleanup; - } else {/*Not refferal*/ - int idx = 0; - reply_encpart.enc_padata = calloc(3, sizeof(krb5_pa_data *)); - if (reply_encpart.enc_padata == NULL) { - errcode = ENOMEM; - status = "Allocating enc_padata"; - goto cleanup; - } - errcode = kdc_handle_protected_negotiation(pkt, request, - reply_key, reply_encpart.enc_padata, &idx); - if (errcode != 0) { - status = "protected negotiation"; - goto cleanup; - } } - + /* Not referral. */ + reply_encpart.enc_padata = calloc(3, sizeof(krb5_pa_data *)); + if (reply_encpart.enc_padata == NULL) { + errcode = ENOMEM; + status = "Allocating enc_padata"; + goto cleanup; + } + errcode = kdc_handle_protected_negotiation(pkt, request, reply_key, + reply_encpart.enc_padata, + &idx); + if (errcode != 0) { + status = "protected negotiation"; + goto cleanup; + } } errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 83d92b095..2262c8956 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -3064,24 +3064,21 @@ include_pac_p(krb5_context context, krb5_kdc_req *request) } krb5_error_code -return_enc_padata(krb5_context context, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_keyblock *reply_key, - krb5_db_entry *server, - krb5_enc_kdc_rep_part *reply_encpart) +return_enc_padata(krb5_context context, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_keyblock *reply_key, + krb5_db_entry *server, krb5_enc_kdc_rep_part *reply_encpart) { krb5_error_code code; krb5_tl_data tl_data; krb5_pa_data *pa_data; int idx = 0; - /* This should be initialized and only used for Win2K compat and other - * specific standardized uses such as FAST negotiation.*/ + /* This should be initialized and only used for Win2K compat and other + * specific standardized uses such as FAST negotiation. */ assert(reply_encpart->enc_padata == NULL); - reply_encpart->enc_padata = (krb5_pa_data **)calloc(4, sizeof(krb5_pa_data *)); - if (reply_encpart->enc_padata == NULL) { + reply_encpart->enc_padata = calloc(4, sizeof(krb5_pa_data *)); + if (reply_encpart->enc_padata == NULL) return ENOMEM; - } tl_data.tl_data_type = KRB5_TL_SVR_REFERRAL_DATA; code = krb5_dbe_lookup_tl_data(context, server, &tl_data); if (code || tl_data.tl_data_length == 0) diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 0d9ca9772..475265e71 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2661,15 +2661,17 @@ kdc_get_ticket_endtime(krb5_context context, * @param index in/out index into @c out_enc_padata for next item */ krb5_error_code -kdc_handle_protected_negotiation( krb5_data *req_pkt, krb5_kdc_req *request, - const krb5_keyblock *reply_key, krb5_pa_data **out_enc_padata, int *idx) +kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request, + const krb5_keyblock *reply_key, + krb5_pa_data **out_enc_padata, int *idx) { krb5_error_code retval = 0; krb5_checksum checksum; krb5_data *out = NULL; krb5_pa_data *pa; assert(out_enc_padata != NULL); - pa = krb5int_find_pa_data(kdc_context, request->padata, KRB5_ENCPADATA_REQ_ENC_PA_REP); + pa = krb5int_find_pa_data(kdc_context, request->padata, + KRB5_ENCPADATA_REQ_ENC_PA_REP); if (pa == NULL) return 0; checksum.contents = NULL; @@ -2678,8 +2680,8 @@ kdc_handle_protected_negotiation( krb5_data *req_pkt, krb5_kdc_req *request, return ENOMEM; pa->magic = KV5M_PA_DATA; pa->pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; - retval = krb5_c_make_checksum(kdc_context,0, reply_key, KRB5_KEYUSAGE_AS_REQ, - req_pkt, &checksum); + retval = krb5_c_make_checksum(kdc_context,0, reply_key, + KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); if (retval != 0) goto cleanup; retval = encode_krb5_checksum(&checksum, &out); diff --git a/src/lib/crypto/krb/make_checksum.c b/src/lib/crypto/krb/make_checksum.c index dd279fd4f..637da9cc6 100644 --- a/src/lib/crypto/krb/make_checksum.c +++ b/src/lib/crypto/krb/make_checksum.c @@ -30,7 +30,7 @@ #include "etypes.h" #include "dk.h" -/* A 0 checksum type means use the mandatory checksum*/ +/* A 0 checksum type means use the mandatory checksum. */ krb5_error_code KRB5_CALLCONV krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, @@ -47,7 +47,8 @@ krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, size_t cksumlen; if (cksumtype == 0) { - ret = krb5int_c_mandatory_cksumtype(context, krb5_k_key_enctype(context, key), &cksumtype); + ret = krb5int_c_mandatory_cksumtype(context, key->keyblock.enctype, + &cksumtype); if (ret != 0) return ret; } diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 155096f6e..542a626da 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -702,7 +702,8 @@ error_out: return retval; } -krb5_error_code decode_krb5_checksum(const krb5_data *code, krb5_checksum **repptr) +krb5_error_code +decode_krb5_checksum(const krb5_data *code, krb5_checksum **repptr) { setup_buf_only(krb5_checksum *); alloc_field(rep); diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index 51903e292..279165124 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -56,7 +56,7 @@ static krb5_error_code fast_armor_ap_request(krb5_context context, struct krb5int_fast_request_state *state, - krb5_ccache ccache, krb5_principal target_principal) + krb5_ccache ccache, krb5_principal target_principal) { krb5_error_code retval = 0; krb5_creds creds, *out_creds = NULL; @@ -97,7 +97,7 @@ fast_armor_ap_request(krb5_context context, krb5_free_keyblock(context, subkey); if (out_creds) krb5_free_creds(context, out_creds); - /*target_principal is owned by caller*/ + /* target_principal is owned by caller. */ creds.server = NULL; krb5_free_cred_contents(context, &creds); if (encoded_authenticator.data) @@ -147,14 +147,15 @@ krb5int_fast_as_armor(krb5_context context, state->fast_state_flags |= KRB5INT_FAST_ARMOR_AVAIL; retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, &ccache); - if (retval == 0) - retval = krb5_tgtname(context, target_realm, target_realm, &target_principal); + if (retval == 0) { + retval = krb5_tgtname(context, target_realm, target_realm, + &target_principal); + } if (retval == 0) { krb5_data config_data; config_data.data = NULL; - retval = krb5_cc_get_config(context, ccache, - target_principal, KRB5_CCCONF_FAST_AVAIL, - &config_data); + retval = krb5_cc_get_config(context, ccache, target_principal, + KRB5_CONF_FAST_AVAIL, &config_data); if ((retval == 0) && config_data.data ) state->fast_state_flags |= KRB5INT_FAST_DO_FAST; krb5_free_data_contents(context, &config_data); @@ -162,9 +163,10 @@ krb5int_fast_as_armor(krb5_context context, } if (opte->opt_private->fast_flags& KRB5_FAST_REQUIRED) state->fast_state_flags |= KRB5INT_FAST_DO_FAST; - if (retval==0 && (state->fast_state_flags & KRB5INT_FAST_DO_FAST)) + if (retval == 0 && (state->fast_state_flags & KRB5INT_FAST_DO_FAST)) { retval = fast_armor_ap_request(context, state, ccache, -target_principal); + target_principal); + } if (retval != 0) { const char * errmsg; errmsg = krb5_get_error_message(context, retval); @@ -552,16 +554,19 @@ krb5int_find_pa_data(krb5_context context, krb5_pa_data *const *padata, } -krb5_error_code krb5int_fast_verify_nego -(krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_rep *rep, krb5_data *request, - krb5_keyblock *decrypting_key, krb5_boolean *fast_avail) +krb5_error_code +krb5int_fast_verify_nego(krb5_context context, + struct krb5int_fast_request_state *state, + krb5_kdc_rep *rep, krb5_data *request, + krb5_keyblock *decrypting_key, + krb5_boolean *fast_avail) { krb5_error_code retval = 0; krb5_checksum *checksum = NULL; krb5_pa_data *pa; krb5_data scratch; krb5_boolean valid; + if (rep->enc_part2->flags& TKT_FLG_ENC_PA_REP) { pa = krb5int_find_pa_data(context, rep->enc_part2->enc_padata, KRB5_ENCPADATA_REQ_ENC_PA_REP); @@ -574,29 +579,30 @@ krb5_error_code krb5int_fast_verify_nego if (retval == 0) retval = decode_krb5_checksum(&scratch, &checksum); if (retval == 0) - retval =krb5_c_verify_checksum(context, decrypting_key, KRB5_KEYUSAGE_AS_REQ, - request, checksum, &valid); + retval = krb5_c_verify_checksum(context, decrypting_key, + KRB5_KEYUSAGE_AS_REQ, + request, checksum, &valid); if (retval == 0 &&valid == 0) retval = KRB5_KDCREP_MODIFIED; if (retval == 0) { pa = krb5int_find_pa_data(context, rep->enc_part2->enc_padata, KRB5_PADATA_FX_FAST); - if (pa) - *fast_avail = 1; - else *fast_avail = 0; + *fast_avail = (pa != NULL); } } if (checksum) krb5_free_checksum(context, checksum); return retval; } -krb5_boolean krb5int_upgrade_to_fast_p -(krb5_context context, struct krb5int_fast_request_state *state, - krb5_pa_data **padata) + +krb5_boolean +krb5int_upgrade_to_fast_p(krb5_context context, + struct krb5int_fast_request_state *state, + krb5_pa_data **padata) { if (state->armor_key != NULL) return 0; /*already using FAST*/ - if (! (state->fast_state_flags & KRB5INT_FAST_ARMOR_AVAIL)) + if (!(state->fast_state_flags & KRB5INT_FAST_ARMOR_AVAIL)) return 0; if (krb5int_find_pa_data(context, padata, KRB5_PADATA_FX_FAST) != NULL) { state->fast_state_flags |= KRB5INT_FAST_DO_FAST; diff --git a/src/lib/krb5/krb/fast.h b/src/lib/krb5/krb/fast.h index db0aa84cb..66dc98523 100644 --- a/src/lib/krb5/krb/fast.h +++ b/src/lib/krb5/krb/fast.h @@ -41,9 +41,9 @@ struct krb5int_fast_request_state { krb5_ui_4 fast_options; krb5_int32 nonce; }; -#define KRB5INT_FAST_DO_FAST (1l<<0) /*perform FAST*/ -#define KRB5INT_FAST_ARMOR_AVAIL (1l<<1) +#define KRB5INT_FAST_DO_FAST (1l<<0) /* Perform FAST */ +#define KRB5INT_FAST_ARMOR_AVAIL (1l<<1) krb5_error_code krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, @@ -82,15 +82,16 @@ krb5_error_code krb5int_fast_reply_key(krb5_context context, krb5_keyblock *output_key); -krb5_error_code krb5int_fast_verify_nego -(krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_rep *rep, krb5_data *request, - krb5_keyblock *decrypting_key, krb5_boolean *fast_avail); - -krb5_boolean krb5int_upgrade_to_fast_p -(krb5_context context, struct krb5int_fast_request_state *state, krb5_pa_data **padata); - - - +krb5_error_code +krb5int_fast_verify_nego(krb5_context context, + struct krb5int_fast_request_state *state, + krb5_kdc_rep *rep, krb5_data *request, + krb5_keyblock *decrypting_key, + krb5_boolean *fast_avail); + +krb5_boolean +krb5int_upgrade_to_fast_p(krb5_context context, + struct krb5int_fast_request_state *state, + krb5_pa_data **padata); #endif diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 164d4d56c..b13c9a94c 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -545,7 +545,8 @@ tgt_is_local_realm(krb5_creds *tgt) && data_eq(tgt->server->realm, tgt->client->realm)); } -static krb5_error_code request_enc_pa_rep(krb5_pa_data ***padptr) +static krb5_error_code +request_enc_pa_rep(krb5_pa_data ***padptr) { size_t size = 0; krb5_pa_data **pad = *padptr; @@ -1257,8 +1258,9 @@ cleanup: return code; } -/** Throw away any state related to specific realm either at the beginning of a - * request, or when a realm changes, or when we start to use FAST after +/** + * Throw away any state related to specific realm either at the beginning of a + * request, or when a realm changes, or when we start to use FAST after * assuming we would not do so. * * @param padata padata from an error if an error from the realm we now expect @@ -1266,8 +1268,7 @@ cleanup: * such as whether FAST is used. */ static krb5_error_code -restart_init_creds_loop(krb5_context context, - struct _krb5_init_creds_context *ctx, +restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, krb5_pa_data **padata) { krb5_error_code code = 0; @@ -1291,22 +1292,25 @@ restart_init_creds_loop(krb5_context context, krb5_free_data(context, ctx->encoded_request_body); ctx->encoded_request_body = NULL; } - if (ctx->opte && (ctx->opte->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) { + if (ctx->opte && + (ctx->opte->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) { if ((code = make_preauth_list(context, ctx->opte->preauth_list, ctx->opte->preauth_list_length, &ctx->preauth_to_use))) goto cleanup; } - /* set the request nonce */ + /* Set the request nonce. */ random_data.length = 4; random_data.data = (char *)random_buf; code = krb5_c_random_make_octets(context, &random_data); if (code !=0) goto cleanup; -/* See RT ticket 3196 at MIT. If we set the high bit, we - may have compatibility problems with Heimdal, because - we (incorrectly) encode this value as signed. */ + /* + * See RT ticket 3196 at MIT. If we set the high bit, we may have + * compatibility problems with Heimdal, because we (incorrectly) encode + * this value as signed. + */ ctx->request->nonce = 0x7fffffff & load_32_n(random_buf); krb5_free_principal(context, ctx->request->server); ctx->request->server = NULL; @@ -1720,50 +1724,49 @@ cleanup: return code; } -/* The control flow is complicated. In order to switch from non-FAST mode - * to FAST mode, we need to reset our pre-authentication state. FAST - * negotiation attempts to make sure we rarely have to do this. When FAST - * negotiation is working, we record whether FAST is available when we - * obtain an armor ticket; if so, we start out with FAST enabled . There - * are two complicated situations. +/* + * The control flow is complicated. In order to switch from non-FAST mode to + * FAST mode, we need to reset our pre-authentication state. FAST negotiation + * attempts to make sure we rarely have to do this. When FAST negotiation is + * working, we record whether FAST is available when we obtain an armor ticket; + * if so, we start out with FAST enabled . There are two complicated + * situations. * * First, if we get a PREAUTH_REQUIRED error including PADATA_FX_FAST back from * a KDC in a case where we were not expecting to use FAST, and we have an - * armor ticket available, then we want to use FAST. That involves - * clearing out the pre-auth state, reinitializing the plugins and trying - * again with an armor key. + * armor ticket available, then we want to use FAST. That involves clearing + * out the pre-auth state, reinitializing the plugins and trying again with an + * armor key. * - * Secondly, using the negotiation can cause problems with some older - * KDCs. Negotiation involves including a special padata item. Some KDCs, - * including MIT prior to 1.7, will return PREAUTH_FAILED rather than - * PREAUTH_REQUIRED in pre-authentication is required and unknown padata are - * included in the request. To make matters worse, these KDCs typically do - * not include a list of padata in PREAUTH_FAILED errors. So, if we get - * PREAUTH_FAILED and we generated no pre-authentication other than the - * negotiation then we want to retry without negotiation. In this case it - * is probably also desirable to retry with the preauth plugin state cleared. + * Secondly, using the negotiation can cause problems with some older KDCs. + * Negotiation involves including a special padata item. Some KDCs, including + * MIT prior to 1.7, will return PREAUTH_FAILED rather than PREAUTH_REQUIRED in + * pre-authentication is required and unknown padata are included in the + * request. To make matters worse, these KDCs typically do not include a list + * of padata in PREAUTH_FAILED errors. So, if we get PREAUTH_FAILED and we + * generated no pre-authentication other than the negotiation then we want to + * retry without negotiation. In this case it is probably also desirable to + * retry with the preauth plugin state cleared. * - * In all these cases we should not start over more than once. Control - * flow is managed by several variables. + * In all these cases we should not start over more than once. Control flow is + * managed by several variables. * - * sent_nontrivial_preauth: if true, we sent preauth other than - * negotiation; no restart on PREAUTH_FAILED + * sent_nontrivial_preauth: if true, we sent preauth other than negotiation; + * no restart on PREAUTH_FAILED * - * KRB5INT_FAST_ARMOR_AVAIL: fast_state_flag - * if desired we could generate armor; if not set, then we can't use FAST - * even if the KDC wants to. + * KRB5INT_FAST_ARMOR_AVAIL: fast_state_flag if desired we could generate + * armor; if not set, then we can't use FAST even if the KDC wants to. * - * have_restarted: true if we've already restarted + * have_restarted: true if we've already restarted */ static krb5_boolean -negotiation_requests_restart(krb5_context context, - struct _krb5_init_creds_context *ctx, +negotiation_requests_restart(krb5_context context, krb5_init_creds_context ctx, krb5_pa_data **padata) { - if ((!ctx->have_restarted) && ( - krb5int_upgrade_to_fast_p(context, ctx->fast_state, padata) - || (ctx->err_reply->error == KDC_ERR_PREAUTH_FAILED && - (!ctx->sent_nontrivial_preauth)))) + if (!ctx->have_restarted && + (krb5int_upgrade_to_fast_p(context, ctx->fast_state, padata) || + (ctx->err_reply->error == KDC_ERR_PREAUTH_FAILED && + !ctx->sent_nontrivial_preauth))) return 1; return 0; } @@ -1807,7 +1810,8 @@ init_creds_step_reply(krb5_context context, code = restart_init_creds_loop(context, ctx, padata); krb5_free_error(context, ctx->err_reply); ctx->err_reply = NULL; - }else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) { + } else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED && + retry) { /* reset the list of preauth types to try */ krb5_free_pa_data(context, ctx->preauth_to_use); ctx->preauth_to_use = padata; @@ -1834,7 +1838,8 @@ init_creds_step_reply(krb5_context context, krb5_free_error(context, ctx->err_reply); ctx->err_reply = NULL; krb5_preauth_request_context_fini(context); - ctx->have_restarted = 0; /*permit another negotiation based restart*/ + /* Permit another negotiation based restart. */ + ctx->have_restarted = 0; ctx->sent_nontrivial_preauth = 0; code = restart_init_creds_loop(context, ctx, NULL); if (code != 0) @@ -1964,7 +1969,7 @@ init_creds_step_reply(krb5_context context, ctx->reply, &ctx->cred, NULL); if (code != 0) goto cleanup; - if (ctx->opte&&ctx->opte->opt_private->out_ccache) { + if (ctx->opte && ctx->opte->opt_private->out_ccache) { krb5_ccache out_ccache = ctx->opte->opt_private->out_ccache; krb5_data config_data; code = krb5_cc_initialize(context, out_ccache, ctx->cred.client); @@ -1977,13 +1982,14 @@ init_creds_step_reply(krb5_context context, config_data.data = "yes"; config_data.length = strlen(config_data.data); code = krb5_cc_set_config(context, out_ccache, ctx->cred.server, - KRB5_CCCONF_FAST_AVAIL, &config_data); + KRB5_CONF_FAST_AVAIL, &config_data); } cc_cleanup: if (code !=0) { const char *msg; msg = krb5_get_error_message(context, code); - krb5_set_error_message(context, code, "%s while storing credentials", msg); + krb5_set_error_message(context, code, + "%s while storing credentials", msg); krb5_free_error_message(context, msg); } } diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c index f1d9479cb..f4cfd9220 100644 --- a/src/lib/krb5/krb/gic_opt.c +++ b/src/lib/krb5/krb/gic_opt.c @@ -490,8 +490,9 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name } krb5_error_code KRB5_CALLCONV -krb5_get_init_creds_opt_set_out_ccache -(krb5_context context, krb5_get_init_creds_opt *opt, krb5_ccache ccache) +krb5_get_init_creds_opt_set_out_ccache(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_ccache ccache) { krb5_error_code retval = 0; krb5_gic_opt_ext *opte; @@ -510,8 +511,9 @@ krb5_get_init_creds_opt_set_out_ccache } krb5_error_code KRB5_CALLCONV -krb5_get_init_creds_opt_set_fast_flags -(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags flags) +krb5_get_init_creds_opt_set_fast_flags(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_flags flags) { krb5_error_code retval = 0; krb5_gic_opt_ext *opte; @@ -525,8 +527,9 @@ krb5_get_init_creds_opt_set_fast_flags } krb5_error_code KRB5_CALLCONV -krb5_get_init_creds_opt_get_fast_flags -(krb5_context context, krb5_get_init_creds_opt *opt, krb5_flags *out_flags) +krb5_get_init_creds_opt_get_fast_flags(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_flags *out_flags) { krb5_error_code retval = 0; krb5_gic_opt_ext *opte; |