oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

lib/krb5: krb5_init_creds_get() passes hostinfo=NULL to krb5_init_creds_step()

Browse Source 
The current prototype of krb5_init_creds_step() is completely
useless as the caller has no way to know the destination
realm for the out blob.

The only internal caller of krb5_init_creds_step()
passes hostinfo=NULL and this commit makes it more obvious that hostinfo
is always NULL.

NOTE: commit 1cdc9d5f3c
"krb5: export krb5_init_creds_step()" exported
krb5_init_creds_step() the first time, but that's
not in any released version, so it should be fine
to fix up the prototype.

The aim is to remove hostinfo from the krb5_init_creds_step() internals
completely and move krb5_init_creds_step() to a useful prototype
where it returns the destination realm for the out packet.

Which means the prototype will mostly match the one MIT is using:

   krb5_error_code KRB5_CALLCONV
   krb5_init_creds_step(krb5_context context,
                        krb5_init_creds_context ctx,
                        krb5_data *in,
                        krb5_data *out,
                        krb5_data *realm,
                        unsigned int *flags);

Follow up patches demonstrate that the hostinfo related code
in pk_verify_host() is actually dead code as all layers
just passed down the NULL value from krb5_init_creds_get().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Stefan Metzmacher
2022-03-03 16:48:08 +01:00
committed by Jeffrey Altman
parent cfb32a638e
commit acaa62636f
2 changed files with 8 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/krb5/fast.c
View File

@@ -856,7 +856,7 @@ _krb5_fast_anon_pkinit_step(krb5_context context,
struct krb5_fast_state *state, struct krb5_fast_state *state,
krb5_data *in, krb5_data *in,
krb5_data *out, krb5_data *out,
krb5_krbhst_info *hostinfo, const void *_unused,
unsigned int *flags) unsigned int *flags)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -902,7 +902,7 @@ _krb5_fast_anon_pkinit_step(krb5_context context,
anon_pk_ctx = state->anon_pkinit_ctx; anon_pk_ctx = state->anon_pkinit_ctx;
ret = krb5_init_creds_step(context, anon_pk_ctx, in, out, hostinfo, flags); ret = krb5_init_creds_step(context, anon_pk_ctx, in, out, NULL, flags);
if (ret || if (ret ||
(*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE)) (*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE))
goto out; goto out;

14
lib/krb5/init_creds_pw.c
View File

@@ -2966,7 +2966,7 @@ init_creds_step(krb5_context context,
krb5_init_creds_context ctx, krb5_init_creds_context ctx,
krb5_data *in, krb5_data *in,
krb5_data *out, krb5_data *out,
krb5_krbhst_info *hostinfo, const void *_unused,
unsigned int *flags) unsigned int *flags)
{ {
struct timeval start_time, end_time; struct timeval start_time, end_time;
@@ -3053,7 +3053,7 @@ init_creds_step(krb5_context context,
ret = process_pa_data_to_key(context, ctx, &ctx->cred, ret = process_pa_data_to_key(context, ctx, &ctx->cred,
&ctx->as_req, &rep.kdc_rep, &ctx->as_req, &rep.kdc_rep,
hostinfo, &ctx->fast_state.reply_key); NULL, &ctx->fast_state.reply_key);
if (ret) { if (ret) {
free_AS_REP(&rep.kdc_rep); free_AS_REP(&rep.kdc_rep);
goto out; goto out;
@@ -3436,7 +3436,6 @@ init_creds_step(krb5_context context,
* @param ctx ctx krb5_init_creds_context context. * @param ctx ctx krb5_init_creds_context context.
* @param in input data from KDC, first round it should be reset by krb5_data_zer(). * @param in input data from KDC, first round it should be reset by krb5_data_zer().
* @param out reply to KDC. * @param out reply to KDC.
* @param hostinfo KDC address info, first round it can be NULL.
* @param flags status of the round, if * @param flags status of the round, if
* KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round. * KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
* *
@@ -3451,7 +3450,7 @@ krb5_init_creds_step(krb5_context context,
krb5_init_creds_context ctx, krb5_init_creds_context ctx,
krb5_data *in, krb5_data *in,
krb5_data *out, krb5_data *out,
krb5_krbhst_info *hostinfo, const void *_unused,
unsigned int *flags) unsigned int *flags)
{ {
krb5_error_code ret; krb5_error_code ret;
@@ -3462,7 +3461,7 @@ krb5_init_creds_step(krb5_context context,
if ((ctx->fast_state.flags & KRB5_FAST_ANON_PKINIT_ARMOR) && if ((ctx->fast_state.flags & KRB5_FAST_ANON_PKINIT_ARMOR) &&
ctx->fast_state.armor_ccache == NULL) { ctx->fast_state.armor_ccache == NULL) {
ret = _krb5_fast_anon_pkinit_step(context, ctx, &ctx->fast_state, ret = _krb5_fast_anon_pkinit_step(context, ctx, &ctx->fast_state,
in, out, hostinfo, flags); in, out, NULL, flags);
if (ret && (ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC)) { if (ret && (ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC)) {
_krb5_debug(context, 5, "Preauth failed with optimistic " _krb5_debug(context, 5, "Preauth failed with optimistic "
"FAST, trying w/o FAST"); "FAST, trying w/o FAST");
@@ -3477,7 +3476,7 @@ krb5_init_creds_step(krb5_context context,
in = &empty; in = &empty;
} }
return init_creds_step(context, ctx, in, out, hostinfo, flags); return init_creds_step(context, ctx, in, out, NULL, flags);
} }
/** /**
@@ -3670,7 +3669,6 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx) krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
{ {
krb5_sendto_ctx stctx = NULL; krb5_sendto_ctx stctx = NULL;
krb5_krbhst_info *hostinfo = NULL;
krb5_error_code ret; krb5_error_code ret;
krb5_data in, out; krb5_data in, out;
unsigned int flags = 0; unsigned int flags = 0;
@@ -3692,7 +3690,7 @@ krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
struct timeval nstart, nend; struct timeval nstart, nend;
flags = 0; flags = 0;
ret = krb5_init_creds_step(context, ctx, &in, &out, hostinfo, &flags); ret = krb5_init_creds_step(context, ctx, &in, &out, NULL, &flags);
krb5_data_free(&in); krb5_data_free(&in);
if (ret) if (ret)
goto out; goto out;