svn rev #24859: trunk/src/ include/ lib/ lib/krb5/ lib/krb5/keytab/ lib/krb5/krb/

Fri Apr 8 12:50:13 EDT 2011

http://mv.ezproxy.com.ezproxyberklee.flo.org/fisheye/changelog/krb5/?cs=24859
Commit By: ghudson
Log Message:
Add k5_kt_get_principal, an internal krb5 interface to try to get a
principal name from a keytab.  Used currently by vfy_increds.c (in
place of its static helper); will also be used when querying the name
of the default gss-krb5 acceptor cred.



Changed Files:
U   trunk/src/include/k5-int.h
U   trunk/src/lib/krb5/keytab/ktfns.c
U   trunk/src/lib/krb5/krb/vfy_increds.c
U   trunk/src/lib/krb5/libkrb5.exports
U   trunk/src/lib/krb5_32.def
Modified: trunk/src/include/k5-int.h
===================================================================

--- trunk/src/include/k5-int.h	2011-04-08 00:39:21 UTC (rev 24858)
+++ trunk/src/include/k5-int.h	2011-04-08 16:50:13 UTC (rev 24859)
@@ -2618,6 +2618,9 @@
 krb5_error_code KRB5_CALLCONV krb5_kt_register(krb5_context,
                                                const struct _krb5_kt_ops *);
 
+krb5_error_code k5_kt_get_principal(krb5_context context, krb5_keytab keytab,
+                                    krb5_principal *princ_out);
+
 krb5_error_code krb5_principal2salt_norealm(krb5_context, krb5_const_principal,
                                             krb5_data *);
 

Modified: trunk/src/lib/krb5/keytab/ktfns.c
===================================================================
--- trunk/src/lib/krb5/keytab/ktfns.c	2011-04-08 00:39:21 UTC (rev 24858)
+++ trunk/src/lib/krb5/keytab/ktfns.c	2011-04-08 16:50:13 UTC (rev 24859)
@@ -97,4 +97,36 @@
 {
     return krb5_x((keytab)->ops->end_get,(context, keytab, cursor));
 }
+
+/*
+ * In a couple of places we need to get a principal name from a keytab: when
+ * verifying credentials against a keytab, and when querying the name of a
+ * default GSS acceptor cred.  Keytabs do not have the concept of a default
+ * principal like ccaches do, so for now we just return the first principal
+ * listed in the keytab, or an error if it's not iterable.  In the future we
+ * could consider elevating this to a public API and giving keytab types an
+ * operation to return a default principal, and maybe extending the file format
+ * and tools to support it.  Returns KRB5_KT_NOTFOUND if the keytab is empty
+ * or non-iterable.
+ */
+krb5_error_code
+k5_kt_get_principal(krb5_context context, krb5_keytab keytab,
+                    krb5_principal *princ_out)
+{
+    krb5_error_code ret;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry kte;
+
+    *princ_out = NULL;
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if (ret)
+        return KRB5_KT_NOTFOUND;
+    ret = krb5_kt_next_entry(context, keytab, &kte, &cursor);
+    (void)krb5_kt_end_seq_get(context, keytab, &cursor);
+    if (ret)
+        return (ret == KRB5_KT_END) ? KRB5_KT_NOTFOUND : ret;
+    ret = krb5_copy_principal(context, kte.principal, princ_out);
+    krb5_kt_free_entry(context, &kte);
+    return ret;
+}
 #endif /* LEAN_CLIENT */

Modified: trunk/src/lib/krb5/krb/vfy_increds.c
===================================================================
--- trunk/src/lib/krb5/krb/vfy_increds.c	2011-04-08 00:39:21 UTC (rev 24858)
+++ trunk/src/lib/krb5/krb/vfy_increds.c	2011-04-08 16:50:13 UTC (rev 24859)
@@ -20,28 +20,7 @@
     return FALSE;
 }
 
-/* Set *server_out to the first principal name in keytab. */
 static krb5_error_code
-get_first_keytab_princ(krb5_context context, krb5_keytab keytab,
-                       krb5_principal *server_out)
-{
-    krb5_error_code ret;
-    krb5_kt_cursor cursor;
-    krb5_keytab_entry kte;
-
-    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
-    if (ret)
-        return ret;
-    ret = krb5_kt_next_entry(context, keytab, &kte, &cursor);
-    (void)krb5_kt_end_seq_get(context, keytab, &cursor);
-    if (ret)
-        return ret;
-    ret = krb5_copy_principal(context, kte.principal, server_out);
-    krb5_kt_free_entry(context, &kte);
-    return ret;
-}
-
-static krb5_error_code
 copy_creds_except(krb5_context context, krb5_ccache incc,
                   krb5_ccache outcc, krb5_principal princ)
 {
@@ -128,8 +107,8 @@
         if (ret)
             goto cleanup;
     } else {
-        /* Use the first principal name in the keytab. */
-        ret = get_first_keytab_princ(context, keytab, &server);
+        /* Use a principal name from the keytab. */
+        ret = k5_kt_get_principal(context, keytab, &server);
         if (ret) {
             /* There's no keytab, or it's empty, or we can't read it.
              * Allow this unless configuration demands verification. */

Modified: trunk/src/lib/krb5/libkrb5.exports
===================================================================
--- trunk/src/lib/krb5/libkrb5.exports	2011-04-08 00:39:21 UTC (rev 24858)
+++ trunk/src/lib/krb5/libkrb5.exports	2011-04-08 16:50:13 UTC (rev 24859)
@@ -108,6 +108,7 @@
 initialize_kv5m_error_table
 initialize_prof_error_table
 k5_free_serverlist
+k5_kt_get_principal
 k5_locate_kdc
 k5_plugin_free_modules
 k5_plugin_load

Modified: trunk/src/lib/krb5_32.def
===================================================================
--- trunk/src/lib/krb5_32.def	2011-04-08 00:39:21 UTC (rev 24858)
+++ trunk/src/lib/krb5_32.def	2011-04-08 16:50:13 UTC (rev 24859)
@@ -408,3 +408,4 @@
 
 ; new in 1.10
 	krb5_sname_match				@384
+	k5_kt_get_principal				@385 ; PRIVATE GSSAPI


