diff options
| author | Greg Hudson <ghudson@mit.edu> | 2020-07-23 01:52:43 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2020-08-07 14:48:56 -0400 |
| commit | 8f2f0a2e8f65c4b39883129967301e3a8986218b (patch) | |
| tree | 1567db4f4c7a2e1f4b50ba5e70fbdf88acb1c4ef | |
| parent | 148b317e1eb5df28dad96679cb4b8a07c62d4786 (diff) | |
| download | krb5-8f2f0a2e8f65c4b39883129967301e3a8986218b.zip krb5-8f2f0a2e8f65c4b39883129967301e3a8986218b.tar.gz krb5-8f2f0a2e8f65c4b39883129967301e3a8986218b.tar.bz2 | |
Refactor cache checking in TGS client code
| -rw-r--r-- | src/lib/krb5/krb/get_creds.c | 86 | ||||
| -rw-r--r-- | src/lib/krb5/krb/int-proto.h | 6 | ||||
| -rw-r--r-- | src/lib/krb5/krb/s4u_creds.c | 21 |
3 files changed, 55 insertions, 58 deletions
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index b3f01be..32401bc 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -48,10 +48,10 @@ * and options. The fields of *mcreds will be aliased to the fields * of in_creds, so the contents of *mcreds should not be freed. */ -krb5_error_code -krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields) +static krb5_error_code +construct_matching_creds(krb5_context context, krb5_flags options, + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields) { if (!in_creds || !in_creds->server || !in_creds->client) return EINVAL; @@ -110,6 +110,50 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, return 0; } +/* Simple wrapper around krb5_cc_retrieve_cred which allocates the result + * container. */ +static krb5_error_code +cache_get(krb5_context context, krb5_ccache ccache, krb5_flags flags, + krb5_creds *in_creds, krb5_creds **out_creds) +{ + krb5_error_code code; + krb5_creds *creds; + + *out_creds = NULL; + + creds = malloc(sizeof(*creds)); + if (creds == NULL) + return ENOMEM; + + code = krb5_cc_retrieve_cred(context, ccache, flags, in_creds, creds); + if (code != 0) { + free(creds); + return code; + } + + *out_creds = creds; + return 0; +} + +krb5_error_code +k5_get_cached_cred(krb5_context context, krb5_flags options, + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **creds_out) +{ + krb5_error_code code; + krb5_creds mcreds; + krb5_flags fields; + + *creds_out = NULL; + + code = construct_matching_creds(context, options, in_creds, + &mcreds, &fields); + if (code) + return code; + + return cache_get(context, ccache, fields, &mcreds, creds_out); +} + /* * krb5_tkt_creds_step() is implemented using a tail call style. Every * begin_*, step_*, or *_request function is responsible for returning an @@ -235,31 +279,6 @@ cleanup: return code; } -/* Simple wrapper around krb5_cc_retrieve_cred which allocates the result - * container. */ -static krb5_error_code -cache_get(krb5_context context, krb5_ccache ccache, krb5_flags flags, - krb5_creds *in_creds, krb5_creds **out_creds) -{ - krb5_error_code code; - krb5_creds *creds; - - *out_creds = NULL; - - creds = malloc(sizeof(*creds)); - if (creds == NULL) - return ENOMEM; - - code = krb5_cc_retrieve_cred(context, ccache, flags, in_creds, creds); - if (code != 0) { - free(creds); - return code; - } - - *out_creds = creds; - return 0; -} - /* * Set up the request given by ctx->tgs_in_creds, using ctx->cur_tgt. KDC * options for the requests are determined by ctx->cur_tgt->ticket_flags and @@ -1023,18 +1042,13 @@ static krb5_error_code check_cache(krb5_context context, krb5_tkt_creds_context ctx) { krb5_error_code code; - krb5_creds mcreds; - krb5_flags fields; krb5_creds req_in_creds; /* Check the cache for the originally requested server principal. */ req_in_creds = *ctx->in_creds; req_in_creds.server = ctx->req_server; - code = krb5int_construct_matching_creds(context, ctx->req_options, - &req_in_creds, &mcreds, &fields); - if (code) - return code; - code = cache_get(context, ctx->ccache, fields, &mcreds, &ctx->reply_creds); + code = k5_get_cached_cred(context, ctx->req_options, ctx->ccache, + &req_in_creds, &ctx->reply_creds); if (code == 0) { ctx->state = STATE_COMPLETE; return 0; diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index fe61beb..5211044 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -79,9 +79,9 @@ clpreauth_otp_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable); krb5_error_code -krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields); +k5_get_cached_cred(krb5_context context, krb5_flags options, + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **creds_out); #define IS_TGS_PRINC(p) ((p)->length == 2 && \ data_eq_string((p)->data[0], KRB5_TGS_NAME)) diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index 00ff613..fe15b24 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -1152,29 +1152,12 @@ k5_get_proxy_cred_from_kdc(krb5_context context, krb5_flags options, { krb5_error_code code; krb5_const_principal canonprinc; - krb5_creds mcreds, copy, *creds, *ncreds; - krb5_flags fields; + krb5_creds copy, *creds; struct canonprinc iter = { in_creds->server, .no_hostrealm = TRUE }; *out_creds = NULL; - code = krb5int_construct_matching_creds(context, options, in_creds, - &mcreds, &fields); - if (code != 0) - return code; - - ncreds = calloc(1, sizeof(*ncreds)); - if (ncreds == NULL) - return ENOMEM; - ncreds->magic = KV5M_CRED; - - code = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, ncreds); - if (code) { - free(ncreds); - } else { - *out_creds = ncreds; - } - + code = k5_get_cached_cred(context, options, ccache, in_creds, out_creds); if ((code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) || options & KRB5_GC_CACHED) return code; |