diff options
| author | Ben Kaduk <kaduk@mit.edu> | 2012-07-10 10:14:52 -0400 |
|---|---|---|
| committer | Ben Kaduk <kaduk@mit.edu> | 2013-11-04 13:51:14 -0500 |
| commit | 29dee7d2cece615bec4616fa9b727e77210051db (patch) | |
| tree | ff7e66cc2638a317144e75d99ec7006dd50d7df1 | |
| parent | 0415740bb569bad53b18f4483837e7e037f88544 (diff) | |
| download | krb5-29dee7d2cece615bec4616fa9b727e77210051db.tar.gz krb5-29dee7d2cece615bec4616fa9b727e77210051db.tar.xz krb5-29dee7d2cece615bec4616fa9b727e77210051db.zip | |
Avoid deprecated krb5_get_in_tkt_with_keytab
The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead. As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.
The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.
The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.
ticket: 6366
| -rw-r--r-- | src/lib/kadm5/unit-test/setkey-test.c | 22 | ||||
| -rw-r--r-- | src/lib/krb5/krb/in_tkt_sky.c | 36 | ||||
| -rw-r--r-- | src/slave/kprop.c | 34 |
3 files changed, 46 insertions, 46 deletions
diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c index c1b9c5d1f..4da236e09 100644 --- a/src/lib/kadm5/unit-test/setkey-test.c +++ b/src/lib/kadm5/unit-test/setkey-test.c @@ -63,6 +63,7 @@ main(int argc, char **argv) krb5_keytab_entry ktent; krb5_encrypt_block eblock; krb5_creds my_creds; + krb5_get_init_creds_opt *opt; kadm5_principal_ent_rec princ_ent; krb5_principal princ, server; char pw[16]; @@ -138,8 +139,8 @@ main(int argc, char **argv) * For each enctype in the test, construct a random password/key. * Assign all keys to principal with kadm5_setkey_principal. Add * each key to the keytab, and acquire an initial ticket with the - * keytab (XXX can I specify the enctype & kvno explicitly?). If - * krb5_get_in_tkt_with_keytab succeeds, then the keys were set + * keytab (XXX can I specify the kvno explicitly?). If + * krb5_get_init_creds_keytab succeeds, then the keys were set * successfully. */ for (test = 0; tests[test] != NULL; test++) { @@ -191,13 +192,16 @@ main(int argc, char **argv) my_creds.server = server; ktypes[0] = testp[encnum].enctype; - ret = krb5_get_in_tkt_with_keytab(context, - 0 /* options */, - NULL /* addrs */, - ktypes, - NULL /* preauth */, - kt, 0, - &my_creds, 0); + ret = krb5_get_init_creds_opt_allocate(context, &opt); + if (ret) { + com_err(whoami, ret, "while allocating gic opts"); + exit(1); + } + krb5_get_init_creds_opt_set_etype_list(opt, ktypes, 1); + ret = krb5_get_init_creds_keytab(context, &my_creds, princ, + kt, 0, NULL /* in_tkt_service */, + opt); + krb5_get_init_creds_opt_free(context, opt); if (ret) { com_err(whoami, ret, "while acquiring initial ticket"); exit(1); diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c index b11e694dd..7a8922623 100644 --- a/src/lib/krb5/krb/in_tkt_sky.c +++ b/src/lib/krb5/krb/in_tkt_sky.c @@ -78,23 +78,29 @@ krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, int use_master = 0; krb5_get_init_creds_opt *opts = NULL; + retval = k5_populate_gic_opt(context, &opts, options, addrs, ktypes, + pre_auth_types, creds); + if (retval) + return retval; + + retval = krb5_get_init_creds_opt_set_out_ccache(context, opts, ccache); + if (retval) + goto cleanup; + #ifndef LEAN_CLIENT if (key == NULL) { - return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes, - pre_auth_types, NULL, ccache, - creds, ret_as_reply); + retval = krb5_get_init_creds_keytab(context, creds, creds->client, + NULL /* keytab */, + creds->times.starttime, + NULL /* in_tkt_service */, + opts); + goto cleanup; } #endif /* LEAN_CLIENT */ - retval = k5_populate_gic_opt(context, &opts, options, addrs, ktypes, - pre_auth_types, creds); - if (retval) - return retval; retval = krb5_unparse_name(context, creds->server, &server); - if (retval) { - krb5_get_init_creds_opt_free(context, opts); - return retval; - } + if (retval) + goto cleanup; server_princ = creds->server; client_princ = creds->client; retval = k5_get_init_creds(context, creds, creds->client, @@ -102,15 +108,13 @@ krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, get_as_key_skey, (void *)key, &use_master, ret_as_reply); krb5_free_unparsed_name(context, server); - krb5_get_init_creds_opt_free(context, opts); if (retval) - return retval; + goto cleanup; krb5_free_principal( context, creds->server); krb5_free_principal( context, creds->client); creds->client = client_princ; creds->server = server_princ; - /* store it in the ccache! */ - if (ccache) - retval = krb5_cc_store_cred(context, ccache, creds); +cleanup: + krb5_get_init_creds_opt_free(context, opts); return retval; } diff --git a/src/slave/kprop.c b/src/slave/kprop.c index b668147dc..f1fcc21a7 100644 --- a/src/slave/kprop.c +++ b/src/slave/kprop.c @@ -188,9 +188,10 @@ void get_tickets(context) krb5_context context; { char const ccname[] = "MEMORY:kpropcc"; - char *def_realm; + char *def_realm, *server; krb5_error_code retval; krb5_keytab keytab = NULL; + krb5_principal server_princ = NULL; /* * Figure out what tickets we'll be using to send stuff @@ -253,19 +254,17 @@ void get_tickets(context) memset(&creds, 0, sizeof(creds)); retval = krb5_sname_to_principal(context, slave_host, KPROP_SERVICE_NAME, - KRB5_NT_SRV_HST, &creds.server); + KRB5_NT_SRV_HST, &server_princ); if (retval) { com_err(progname, errno, _("while setting server principal name")); (void) krb5_cc_destroy(context, ccache); exit(1); } - if (realm) { - retval = krb5_set_principal_realm(context, creds.server, realm); - if (retval) { - com_err(progname, errno, - _("while setting server principal realm")); - exit(1); - } + retval = krb5_unparse_name_flags(context, server_princ, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &server); + if (retval) { + com_err(progname, retval, _("while unparsing server name")); + exit(1); } /* @@ -286,10 +285,10 @@ void get_tickets(context) } } - retval = krb5_get_in_tkt_with_keytab(context, 0, 0, NULL, - NULL, keytab, ccache, &creds, 0); + retval = krb5_get_init_creds_keytab(context, &creds, my_principal, + keytab, 0, server, NULL); if (retval) { - com_err(progname, retval, _("while getting initial ticket\n")); + com_err(progname, retval, _("while getting initial credentials\n")); (void) krb5_cc_destroy(context, ccache); exit(1); } @@ -297,15 +296,8 @@ void get_tickets(context) if (keytab) (void) krb5_kt_close(context, keytab); - /* - * Now destroy the cache right away --- the credentials we - * need will be in my_creds. - */ - retval = krb5_cc_destroy(context, ccache); - if (retval) { - com_err(progname, retval, _("while destroying ticket cache")); - exit(1); - } + krb5_free_unparsed_name(context, server); + krb5_free_principal(context, server_princ); } static void |