diff options
Diffstat (limited to 'src/lib/krb5/krb/get_in_tkt.c')
-rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 100 |
1 files changed, 53 insertions, 47 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 164d4d5..b13c9a9 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -545,7 +545,8 @@ tgt_is_local_realm(krb5_creds *tgt) && data_eq(tgt->server->realm, tgt->client->realm)); } -static krb5_error_code request_enc_pa_rep(krb5_pa_data ***padptr) +static krb5_error_code +request_enc_pa_rep(krb5_pa_data ***padptr) { size_t size = 0; krb5_pa_data **pad = *padptr; @@ -1257,8 +1258,9 @@ cleanup: return code; } -/** Throw away any state related to specific realm either at the beginning of a - * request, or when a realm changes, or when we start to use FAST after +/** + * Throw away any state related to specific realm either at the beginning of a + * request, or when a realm changes, or when we start to use FAST after * assuming we would not do so. * * @param padata padata from an error if an error from the realm we now expect @@ -1266,8 +1268,7 @@ cleanup: * such as whether FAST is used. */ static krb5_error_code -restart_init_creds_loop(krb5_context context, - struct _krb5_init_creds_context *ctx, +restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, krb5_pa_data **padata) { krb5_error_code code = 0; @@ -1291,22 +1292,25 @@ restart_init_creds_loop(krb5_context context, krb5_free_data(context, ctx->encoded_request_body); ctx->encoded_request_body = NULL; } - if (ctx->opte && (ctx->opte->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) { + if (ctx->opte && + (ctx->opte->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) { if ((code = make_preauth_list(context, ctx->opte->preauth_list, ctx->opte->preauth_list_length, &ctx->preauth_to_use))) goto cleanup; } - /* set the request nonce */ + /* Set the request nonce. */ random_data.length = 4; random_data.data = (char *)random_buf; code = krb5_c_random_make_octets(context, &random_data); if (code !=0) goto cleanup; -/* See RT ticket 3196 at MIT. If we set the high bit, we - may have compatibility problems with Heimdal, because - we (incorrectly) encode this value as signed. */ + /* + * See RT ticket 3196 at MIT. If we set the high bit, we may have + * compatibility problems with Heimdal, because we (incorrectly) encode + * this value as signed. + */ ctx->request->nonce = 0x7fffffff & load_32_n(random_buf); krb5_free_principal(context, ctx->request->server); ctx->request->server = NULL; @@ -1720,50 +1724,49 @@ cleanup: return code; } -/* The control flow is complicated. In order to switch from non-FAST mode - * to FAST mode, we need to reset our pre-authentication state. FAST - * negotiation attempts to make sure we rarely have to do this. When FAST - * negotiation is working, we record whether FAST is available when we - * obtain an armor ticket; if so, we start out with FAST enabled . There - * are two complicated situations. +/* + * The control flow is complicated. In order to switch from non-FAST mode to + * FAST mode, we need to reset our pre-authentication state. FAST negotiation + * attempts to make sure we rarely have to do this. When FAST negotiation is + * working, we record whether FAST is available when we obtain an armor ticket; + * if so, we start out with FAST enabled . There are two complicated + * situations. * * First, if we get a PREAUTH_REQUIRED error including PADATA_FX_FAST back from * a KDC in a case where we were not expecting to use FAST, and we have an - * armor ticket available, then we want to use FAST. That involves - * clearing out the pre-auth state, reinitializing the plugins and trying - * again with an armor key. + * armor ticket available, then we want to use FAST. That involves clearing + * out the pre-auth state, reinitializing the plugins and trying again with an + * armor key. * - * Secondly, using the negotiation can cause problems with some older - * KDCs. Negotiation involves including a special padata item. Some KDCs, - * including MIT prior to 1.7, will return PREAUTH_FAILED rather than - * PREAUTH_REQUIRED in pre-authentication is required and unknown padata are - * included in the request. To make matters worse, these KDCs typically do - * not include a list of padata in PREAUTH_FAILED errors. So, if we get - * PREAUTH_FAILED and we generated no pre-authentication other than the - * negotiation then we want to retry without negotiation. In this case it - * is probably also desirable to retry with the preauth plugin state cleared. + * Secondly, using the negotiation can cause problems with some older KDCs. + * Negotiation involves including a special padata item. Some KDCs, including + * MIT prior to 1.7, will return PREAUTH_FAILED rather than PREAUTH_REQUIRED in + * pre-authentication is required and unknown padata are included in the + * request. To make matters worse, these KDCs typically do not include a list + * of padata in PREAUTH_FAILED errors. So, if we get PREAUTH_FAILED and we + * generated no pre-authentication other than the negotiation then we want to + * retry without negotiation. In this case it is probably also desirable to + * retry with the preauth plugin state cleared. * - * In all these cases we should not start over more than once. Control - * flow is managed by several variables. + * In all these cases we should not start over more than once. Control flow is + * managed by several variables. * - * sent_nontrivial_preauth: if true, we sent preauth other than - * negotiation; no restart on PREAUTH_FAILED + * sent_nontrivial_preauth: if true, we sent preauth other than negotiation; + * no restart on PREAUTH_FAILED * - * KRB5INT_FAST_ARMOR_AVAIL: fast_state_flag - * if desired we could generate armor; if not set, then we can't use FAST - * even if the KDC wants to. + * KRB5INT_FAST_ARMOR_AVAIL: fast_state_flag if desired we could generate + * armor; if not set, then we can't use FAST even if the KDC wants to. * - * have_restarted: true if we've already restarted + * have_restarted: true if we've already restarted */ static krb5_boolean -negotiation_requests_restart(krb5_context context, - struct _krb5_init_creds_context *ctx, +negotiation_requests_restart(krb5_context context, krb5_init_creds_context ctx, krb5_pa_data **padata) { - if ((!ctx->have_restarted) && ( - krb5int_upgrade_to_fast_p(context, ctx->fast_state, padata) - || (ctx->err_reply->error == KDC_ERR_PREAUTH_FAILED && - (!ctx->sent_nontrivial_preauth)))) + if (!ctx->have_restarted && + (krb5int_upgrade_to_fast_p(context, ctx->fast_state, padata) || + (ctx->err_reply->error == KDC_ERR_PREAUTH_FAILED && + !ctx->sent_nontrivial_preauth))) return 1; return 0; } @@ -1807,7 +1810,8 @@ init_creds_step_reply(krb5_context context, code = restart_init_creds_loop(context, ctx, padata); krb5_free_error(context, ctx->err_reply); ctx->err_reply = NULL; - }else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) { + } else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED && + retry) { /* reset the list of preauth types to try */ krb5_free_pa_data(context, ctx->preauth_to_use); ctx->preauth_to_use = padata; @@ -1834,7 +1838,8 @@ init_creds_step_reply(krb5_context context, krb5_free_error(context, ctx->err_reply); ctx->err_reply = NULL; krb5_preauth_request_context_fini(context); - ctx->have_restarted = 0; /*permit another negotiation based restart*/ + /* Permit another negotiation based restart. */ + ctx->have_restarted = 0; ctx->sent_nontrivial_preauth = 0; code = restart_init_creds_loop(context, ctx, NULL); if (code != 0) @@ -1964,7 +1969,7 @@ init_creds_step_reply(krb5_context context, ctx->reply, &ctx->cred, NULL); if (code != 0) goto cleanup; - if (ctx->opte&&ctx->opte->opt_private->out_ccache) { + if (ctx->opte && ctx->opte->opt_private->out_ccache) { krb5_ccache out_ccache = ctx->opte->opt_private->out_ccache; krb5_data config_data; code = krb5_cc_initialize(context, out_ccache, ctx->cred.client); @@ -1977,13 +1982,14 @@ init_creds_step_reply(krb5_context context, config_data.data = "yes"; config_data.length = strlen(config_data.data); code = krb5_cc_set_config(context, out_ccache, ctx->cred.server, - KRB5_CCCONF_FAST_AVAIL, &config_data); + KRB5_CONF_FAST_AVAIL, &config_data); } cc_cleanup: if (code !=0) { const char *msg; msg = krb5_get_error_message(context, code); - krb5_set_error_message(context, code, "%s while storing credentials", msg); + krb5_set_error_message(context, code, + "%s while storing credentials", msg); krb5_free_error_message(context, msg); } } |