diff options
| author | Zhanna Tsitkov <tsitkova@mit.edu> | 2008-11-17 19:28:24 +0000 |
|---|---|---|
| committer | Zhanna Tsitkov <tsitkova@mit.edu> | 2008-11-17 19:28:24 +0000 |
| commit | 7a4fbc070e7fc9e67a86af6cc70f84420f876a80 (patch) | |
| tree | 3b17f9f0519408002779833e250559b322dfa77b /src/lib/krb5 | |
| parent | c4da687dec360a4cf7aad6a27655f51f2aae8cce (diff) | |
| download | krb5-7a4fbc070e7fc9e67a86af6cc70f84420f876a80.zip krb5-7a4fbc070e7fc9e67a86af6cc70f84420f876a80.tar.gz krb5-7a4fbc070e7fc9e67a86af6cc70f84420f876a80.tar.bz2 | |
PERF: Introduced a new function krb5_is_permitted_enctype_ext to replace multiple calls to krb5_is_permitted_enctype
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21128 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5')
| -rw-r--r-- | src/lib/krb5/krb/init_ctx.c | 32 | ||||
| -rw-r--r-- | src/lib/krb5/krb/rd_req_dec.c | 47 |
2 files changed, 75 insertions, 4 deletions
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 467aec9..f916660 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -488,6 +488,38 @@ krb5_is_permitted_enctype(krb5_context context, krb5_enctype etype) return(ret); } +/* The same as krb5_is_permitted_enctype, but verifies multiple etype's + * Returns 0 is either the list of the permitted enc types is not available + * or all requested etypes are not permitted. Otherwise returns 1. + */ + +krb5_boolean +krb5_is_permitted_enctype_ext ( krb5_context context, + krb5_etypes_permitted *etypes) +{ + krb5_enctype *list, *ptr; + krb5_boolean ret = 0; + int i = 0; + + if (krb5_get_permitted_enctypes(context, &list)) + return(0); + + for ( i=0; i< etypes->etype_count; i++ ) + { + for (ptr = list; *ptr; ptr++) + { + if (*ptr == etypes->etype[i]) + { + etypes->etype_ok[i] = TRUE; + ret = 1; + } + } + } + krb5_free_ktypes (context, list); + + return(ret); +} + static krb5_error_code copy_ktypes(krb5_context ctx, unsigned int nktypes, diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index e93551a..3a92107 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -182,7 +182,6 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, &((*auth_context)->authentp), check_valid_flag))) goto cleanup; - if (!krb5_principal_compare(context, (*auth_context)->authentp->client, req->ticket->enc_part2->client)) { retval = KRB5KRB_AP_ERR_BADMATCH; @@ -301,6 +300,26 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, /* no etype check needed */; } else if ((*auth_context)->permitted_etypes == NULL) { int etype; + size_t size_etype_enc = 3 * sizeof(krb5_enctype); /* upto three types */ + size_t size_etype_bool = 3 * sizeof(krb5_boolean); + krb5_etypes_permitted etypes; + memset(&etypes, 0, sizeof etypes); + + etypes.etype = (krb5_enctype*) malloc( size_etype_enc ); + etypes.etype_ok = (krb5_boolean*) malloc( size_etype_bool ); + memset(etypes.etype, 0, size_etype_enc ); + memset(etypes.etype_ok, 0, size_etype_bool ); + + etypes.etype[etypes.etype_count++] = req->ticket->enc_part.enctype; + etypes.etype[etypes.etype_count++] = req->ticket->enc_part2->session->enctype; + if ( (*auth_context)->authentp->subkey) { + etypes.etype[etypes.etype_count++] = (*auth_context)->authentp->subkey->enctype; + } + + retval = krb5_is_permitted_enctype_ext(context, &etypes); + + +#if 0 /* check against the default set */ if ((!krb5_is_permitted_enctype(context, etype = req->ticket->enc_part.enctype)) || @@ -309,8 +328,27 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, (((*auth_context)->authentp->subkey) && !krb5_is_permitted_enctype(context, etype = (*auth_context)->authentp->subkey->enctype))) { - char enctype_name[30]; - retval = KRB5_NOPERM_ETYPE; +#endif + if ( retval == 0 /* all etypes are not permitted */ || + ( !etypes.etype_ok[0] || !etypes.etype_ok[1] || + (((*auth_context)->authentp->subkey) && !etypes.etype_ok[etypes.etype_count-1]))) + { + char enctype_name[30]; + retval = KRB5_NOPERM_ETYPE; + + if ( !etypes.etype_ok[0] ) + { + etype = etypes.etype[1]; + } + else if ( !etypes.etype_ok[1] ) + { + etype = etypes.etype[1]; + } + else + { + etype = etypes.etype[2]; + } + if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0) krb5_set_error_message(context, retval, "Encryption type %s not permitted", @@ -453,7 +491,6 @@ krb5_rd_req_decoded_anyflag(krb5_context context, 0); /* don't check_valid_flag */ return retval; } - static krb5_error_code decrypt_authenticator(krb5_context context, const krb5_ap_req *request, krb5_authenticator **authpp, int is_ap_req) @@ -488,3 +525,5 @@ free(scratch.data);} clean_scratch(); return retval; } + + |