diff options
author | Greg Hudson <ghudson@mit.edu> | 2014-03-01 00:35:50 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2014-03-05 16:48:50 -0500 |
commit | c724843cb90cfed71d54eab94b68b0583c1d6dc5 (patch) | |
tree | 5060aeaa8f07f514ffa665152fe96b02be0824b2 /src/lib/krb5/krb/preauth2.c | |
parent | 06817686bfdef99523f300464bcbb0c8b037a27d (diff) | |
download | krb5-c724843cb90cfed71d54eab94b68b0583c1d6dc5.tar.gz krb5-c724843cb90cfed71d54eab94b68b0583c1d6dc5.tar.xz krb5-c724843cb90cfed71d54eab94b68b0583c1d6dc5.zip |
Improve extended gic option support
The current extended gic option facility violates strict aliasing, is
not nestable (gic_opt_to_opte cannot be used on an extended options
structure casted back to krb5_get_init_creds_options), and requires
callers to use error-prone conversion functions.
Rewrite this code to use a new structure private to gic_opt.c, which
contains a krb5_get_init_creds_opt structure as its first member. We
can cast between the extended structure and its first element without
violating strict aliasing (C99 6.7.2.1 paragraph 13 and the aggregate
type clause of 6.5 paragraph 7). Define internal accessor functions
for the extended option fields. Replace all uses of krb5_gic_opt_ext
in callers with krb5_get_init_creds_opt and the new accessors. Bring
krb5_get_init_creds_opt_set_pa back into gic_opt.c (reverting
faa810c5b59fa33d9f7db837c5bb88df5436bb30) so that all of the code
which accesses the extended options structure can be in one file.
ticket: 6034
Diffstat (limited to 'src/lib/krb5/krb/preauth2.c')
-rw-r--r-- | src/lib/krb5/krb/preauth2.c | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index f1b364dd9..cda91b908 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -492,7 +492,7 @@ static struct krb5_clpreauth_callbacks_st callbacks = { * to add support for to the list, but in the future perhaps doing more * involved things. */ void -k5_preauth_prepare_request(krb5_context context, krb5_gic_opt_ext *opte, +k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt, krb5_kdc_req *req) { struct krb5_preauth_context_st *pctx = context->preauth_context; @@ -502,7 +502,7 @@ k5_preauth_prepare_request(krb5_context context, krb5_gic_opt_ext *opte, if (pctx == NULL) return; /* Don't modify the enctype list if it's specified in the gic opts. */ - if (opte != NULL && (opte->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)) + if (opt != NULL && (opt->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)) return; for (hp = pctx->handles; *hp != NULL; hp++) { h = *hp; @@ -586,7 +586,6 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, krb5_preauthtype *out_type) { struct krb5_preauth_context_st *pctx = context->preauth_context; - krb5_get_init_creds_opt *opt = (krb5_get_init_creds_opt *)ctx->opte; struct errinfo save = EMPTY_ERRINFO; krb5_pa_data *pa, **pa_ptr, **mod_pa; krb5_error_code ret = 0; @@ -614,7 +613,7 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, if (real && already_tried(context, pa->pa_type)) continue; mod_pa = NULL; - ret = clpreauth_process(context, h, opt, &callbacks, + ret = clpreauth_process(context, h, ctx->opt, &callbacks, (krb5_clpreauth_rock)ctx, ctx->request, ctx->inner_request_body, ctx->encoded_previous_request, pa, @@ -863,7 +862,6 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, struct krb5_preauth_context_st *pctx = context->preauth_context; krb5_error_code ret; krb5_pa_data **mod_pa; - krb5_get_init_creds_opt *opt = (krb5_get_init_creds_opt *)ctx->opte; clpreauth_handle h; int i; @@ -878,7 +876,7 @@ k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, if (h == NULL) continue; mod_pa = NULL; - ret = clpreauth_tryagain(context, h, opt, &callbacks, + ret = clpreauth_tryagain(context, h, ctx->opt, &callbacks, (krb5_clpreauth_rock)ctx, ctx->request, ctx->inner_request_body, ctx->encoded_previous_request, @@ -901,7 +899,6 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx, krb5_pa_data **in_padata) { struct krb5_preauth_context_st *pctx = context->preauth_context; - krb5_get_init_creds_opt *opt = (krb5_get_init_creds_opt *)ctx->opte; krb5_error_code ret; krb5_pa_data *pa; clpreauth_handle h; @@ -915,7 +912,7 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx, h = find_module(pctx->handles, pa->pa_type); if (h == NULL) continue; - ret = clpreauth_prep_questions(context, h, opt, &callbacks, + ret = clpreauth_prep_questions(context, h, ctx->opt, &callbacks, (krb5_clpreauth_rock)ctx, ctx->request, ctx->inner_request_body, ctx->encoded_previous_request, pa); @@ -933,8 +930,8 @@ k5_preauth(krb5_context context, krb5_init_creds_context ctx, int out_pa_list_size = 0; krb5_pa_data **out_pa_list = NULL; krb5_error_code ret; - krb5_responder_fn responder = ctx->opte->opt_private->responder; - void *responder_data = ctx->opte->opt_private->responder_data; + krb5_responder_fn responder; + void *responder_data; *padata_out = NULL; *pa_type_out = KRB5_PADATA_NONE; @@ -978,6 +975,7 @@ k5_preauth(krb5_context context, krb5_init_creds_context ctx, goto error; /* Call the responder to answer response items. */ + k5_gic_opt_get_responder(ctx->opt, &responder, &responder_data); if (responder != NULL && !k5_response_items_empty(ctx->rctx.items)) { ret = (*responder)(context, responder_data, &ctx->rctx); if (ret) @@ -1003,11 +1001,11 @@ error: * has just been set */ krb5_error_code -krb5_preauth_supply_preauth_data(krb5_context context, krb5_gic_opt_ext *opte, +krb5_preauth_supply_preauth_data(krb5_context context, + krb5_get_init_creds_opt *opt, const char *attr, const char *value) { struct krb5_preauth_context_st *pctx = context->preauth_context; - krb5_get_init_creds_opt *opt = (krb5_get_init_creds_opt *)opte; clpreauth_handle *hp, h; krb5_error_code ret; const char *emsg = NULL; |