From 275df1b1b846a66c966a8108ba3b4d148f68ef6f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 4 Apr 2019 14:37:38 -0400 Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi (cherry picked from commit 51395dc956ce9eef27c0d6843561d3d3828b03cd) --- src/ccapi/common/cci_cred_union.c | 280 +------------------------ src/ccapi/lib/ccapi_v2.c | 34 +-- src/ccapi/lib/win/OldCC/ccapi.h | 20 -- src/ccapi/server/ccs_ccache.c | 69 +----- src/ccapi/test/test_ccapi_ccache.c | 227 +++----------------- src/ccapi/test/test_ccapi_constants.c | 2 - src/ccapi/test/test_ccapi_context.c | 3 - src/ccapi/test/test_ccapi_v2.c | 89 -------- src/include/CredentialsCache.h | 156 ++++---------- src/include/CredentialsCache2.h | 26 +-- src/lib/krb5/ccache/ccapi/stdcc.c | 2 - src/lib/krb5/ccache/ccapi/stdcc_util.c | 8 +- src/windows/kfwlogon/kfwlogon.h | 2 +- src/windows/leashdll/leash-int.h | 2 +- src/windows/lib/cacheapi.h | 53 +---- 15 files changed, 100 insertions(+), 873 deletions(-) diff --git a/src/ccapi/common/cci_cred_union.c b/src/ccapi/common/cci_cred_union.c index 4c8981610..424a93dab 100644 --- a/src/ccapi/common/cci_cred_union.c +++ b/src/ccapi/common/cci_cred_union.c @@ -25,181 +25,6 @@ #include "cci_common.h" -#ifdef TARGET_OS_MAC -#pragma mark - -#endif - -/* ------------------------------------------------------------------------ */ - -static cc_uint32 cci_credentials_v4_release (cc_credentials_v4_t *io_v4creds) -{ - cc_int32 err = ccNoError; - - if (!io_v4creds) { err = ccErrBadParam; } - - if (!err) { - memset (io_v4creds, 0, sizeof (*io_v4creds)); - free (io_v4creds); - } - - return err; -} - -/* ------------------------------------------------------------------------ */ - -static cc_uint32 cci_credentials_v4_read (cc_credentials_v4_t **out_v4creds, - k5_ipc_stream io_stream) -{ - cc_int32 err = ccNoError; - cc_credentials_v4_t *v4creds = NULL; - - if (!io_stream ) { err = cci_check_error (ccErrBadParam); } - if (!out_v4creds) { err = cci_check_error (ccErrBadParam); } - - if (!err) { - v4creds = malloc (sizeof (*v4creds)); - if (!v4creds) { err = cci_check_error (ccErrNoMem); } - } - - if (!err) { - err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->version); - } - - if (!err) { - err = krb5int_ipc_stream_read (io_stream, v4creds->principal, cc_v4_name_size); - } - - if (!err) { - err = krb5int_ipc_stream_read (io_stream, v4creds->principal_instance, cc_v4_instance_size); - } - - if (!err) { - err = krb5int_ipc_stream_read (io_stream, v4creds->service, cc_v4_name_size); - } - - if (!err) { - err = krb5int_ipc_stream_read (io_stream, v4creds->service_instance, cc_v4_instance_size); - } - - if (!err) { - err = krb5int_ipc_stream_read (io_stream, v4creds->realm, cc_v4_realm_size); - } - - if (!err) { - err = krb5int_ipc_stream_read (io_stream, v4creds->session_key, cc_v4_key_size); - } - - if (!err) { - err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->kvno); - } - - if (!err) { - err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->string_to_key_type); - } - - if (!err) { - err = krb5int_ipc_stream_read_time (io_stream, &v4creds->issue_date); - } - - if (!err) { - err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->lifetime); - } - - if (!err) { - err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->address); - } - - if (!err) { - err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->ticket_size); - } - - if (!err) { - err = krb5int_ipc_stream_read (io_stream, v4creds->ticket, cc_v4_ticket_size); - } - - if (!err) { - *out_v4creds = v4creds; - v4creds = NULL; - } - - free (v4creds); - - return cci_check_error (err); -} - -/* ------------------------------------------------------------------------ */ - -static cc_uint32 cci_credentials_v4_write (cc_credentials_v4_t *in_v4creds, - k5_ipc_stream io_stream) -{ - cc_int32 err = ccNoError; - - if (!io_stream ) { err = cci_check_error (ccErrBadParam); } - if (!in_v4creds) { err = cci_check_error (ccErrBadParam); } - - if (!err) { - err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->version); - } - - if (!err) { - err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal, cc_v4_name_size); - } - - if (!err) { - err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal_instance, cc_v4_instance_size); - } - - if (!err) { - err = krb5int_ipc_stream_write (io_stream, in_v4creds->service, cc_v4_name_size); - } - - if (!err) { - err = krb5int_ipc_stream_write (io_stream, in_v4creds->service_instance, cc_v4_instance_size); - } - - if (!err) { - err = krb5int_ipc_stream_write (io_stream, in_v4creds->realm, cc_v4_realm_size); - } - - if (!err) { - err = krb5int_ipc_stream_write (io_stream, in_v4creds->session_key, cc_v4_key_size); - } - - if (!err) { - err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->kvno); - } - - if (!err) { - err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->string_to_key_type); - } - - if (!err) { - err = krb5int_ipc_stream_write_time (io_stream, in_v4creds->issue_date); - } - - if (!err) { - err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->lifetime); - } - - if (!err) { - err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->address); - } - - if (!err) { - err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->ticket_size); - } - - if (!err) { - err = krb5int_ipc_stream_write (io_stream, in_v4creds->ticket, cc_v4_ticket_size); - } - - return cci_check_error (err); -} - -#ifdef TARGET_OS_MAC -#pragma mark - -#endif - /* ------------------------------------------------------------------------ */ static cc_uint32 cci_cc_data_contents_release (cc_data *io_ccdata) @@ -600,9 +425,7 @@ cc_uint32 cci_credentials_union_release (cc_credentials_union *io_cred_union) if (!io_cred_union) { err = ccErrBadParam; } if (!err) { - if (io_cred_union->version == cc_credentials_v4) { - cci_credentials_v4_release (io_cred_union->credentials.credentials_v4); - } else if (io_cred_union->version == cc_credentials_v5) { + if (io_cred_union->version == cc_credentials_v5) { cci_credentials_v5_release (io_cred_union->credentials.credentials_v5); } free (io_cred_union); @@ -632,11 +455,7 @@ cc_uint32 cci_credentials_union_read (cc_credentials_union **out_credentials_uni } if (!err) { - if (credentials_union->version == cc_credentials_v4) { - err = cci_credentials_v4_read (&credentials_union->credentials.credentials_v4, - io_stream); - - } else if (credentials_union->version == cc_credentials_v5) { + if (credentials_union->version == cc_credentials_v5) { err = cci_credentials_v5_read (&credentials_union->credentials.credentials_v5, io_stream); @@ -671,11 +490,7 @@ cc_uint32 cci_credentials_union_write (const cc_credentials_union *in_credential } if (!err) { - if (in_credentials_union->version == cc_credentials_v4) { - err = cci_credentials_v4_write (in_credentials_union->credentials.credentials_v4, - io_stream); - - } else if (in_credentials_union->version == cc_credentials_v5) { + if (in_credentials_union->version == cc_credentials_v5) { err = cci_credentials_v5_write (in_credentials_union->credentials.credentials_v5, io_stream); @@ -714,11 +529,7 @@ cc_uint32 cci_cred_union_release (cred_union *io_cred_union) if (!io_cred_union) { err = ccErrBadParam; } if (!err) { - if (io_cred_union->cred_type == CC_CRED_V4) { - memset (io_cred_union->cred.pV4Cred, 0, sizeof (cc_credentials_v4_compat)); - free (io_cred_union->cred.pV4Cred); - - } else if (io_cred_union->cred_type == CC_CRED_V5) { + if (io_cred_union->cred_type == CC_CRED_V5) { free (io_cred_union->cred.pV5Cred->client); free (io_cred_union->cred.pV5Cred->server); cci_cc_data_contents_release (&io_cred_union->cred.pV5Cred->keyblock); @@ -829,36 +640,7 @@ cc_uint32 cci_credentials_union_to_cred_union (const cc_credentials_union *in_c } if (!err) { - if (in_credentials_union->version == cc_credentials_v4) { - cc_credentials_v4_compat *compat_v4creds = NULL; - - compat_v4creds = malloc (sizeof (*compat_v4creds)); - if (!compat_v4creds) { err = cci_check_error (ccErrNoMem); } - - if (!err) { - cc_credentials_v4_t *v4creds = in_credentials_union->credentials.credentials_v4; - - compat_cred_union->cred_type = CC_CRED_V4; - compat_cred_union->cred.pV4Cred = compat_v4creds; - - compat_v4creds->kversion = v4creds->version; - strncpy (compat_v4creds->principal, v4creds->principal, KRB_NAME_SZ+1); - strncpy (compat_v4creds->principal_instance, v4creds->principal_instance, KRB_INSTANCE_SZ+1); - strncpy (compat_v4creds->service, v4creds->service, KRB_NAME_SZ+1); - strncpy (compat_v4creds->service_instance, v4creds->service_instance, KRB_INSTANCE_SZ+1); - strncpy (compat_v4creds->realm, v4creds->realm, KRB_REALM_SZ+1); - memcpy (compat_v4creds->session_key, v4creds->session_key, 8); - compat_v4creds->kvno = v4creds->kvno; - compat_v4creds->str_to_key = v4creds->string_to_key_type; - compat_v4creds->issue_date = v4creds->issue_date; - compat_v4creds->lifetime = v4creds->lifetime; - compat_v4creds->address = v4creds->address; - compat_v4creds->ticket_sz = v4creds->ticket_size; - memcpy (compat_v4creds->ticket, v4creds->ticket, MAX_V4_CRED_LEN); - compat_v4creds->oops = 0; - } - - } else if (in_credentials_union->version == cc_credentials_v5) { + if (in_credentials_union->version == cc_credentials_v5) { cc_credentials_v5_t *v5creds = in_credentials_union->credentials.credentials_v5; cc_credentials_v5_compat *compat_v5creds = NULL; @@ -951,36 +733,7 @@ cc_uint32 cci_cred_union_to_credentials_union (const cred_union *in_cred_un } if (!err) { - if (in_cred_union->cred_type == CC_CRED_V4) { - cc_credentials_v4_compat *compat_v4creds = in_cred_union->cred.pV4Cred; - cc_credentials_v4_t *v4creds = NULL; - - if (!err) { - v4creds = malloc (sizeof (*v4creds)); - if (!v4creds) { err = cci_check_error (ccErrNoMem); } - } - - if (!err) { - creds_union->version = cc_credentials_v4; - creds_union->credentials.credentials_v4 = v4creds; - - v4creds->version = compat_v4creds->kversion; - strncpy (v4creds->principal, compat_v4creds->principal, KRB_NAME_SZ); - strncpy (v4creds->principal_instance, compat_v4creds->principal_instance, KRB_INSTANCE_SZ); - strncpy (v4creds->service, compat_v4creds->service, KRB_NAME_SZ); - strncpy (v4creds->service_instance, compat_v4creds->service_instance, KRB_INSTANCE_SZ); - strncpy (v4creds->realm, compat_v4creds->realm, KRB_REALM_SZ); - memcpy (v4creds->session_key, compat_v4creds->session_key, 8); - v4creds->kvno = compat_v4creds->kvno; - v4creds->string_to_key_type = compat_v4creds->str_to_key; - v4creds->issue_date = compat_v4creds->issue_date; - v4creds->lifetime = compat_v4creds->lifetime; - v4creds->address = compat_v4creds->address; - v4creds->ticket_size = compat_v4creds->ticket_sz; - memcpy (v4creds->ticket, compat_v4creds->ticket, MAX_V4_CRED_LEN); - } - - } else if (in_cred_union->cred_type == CC_CRED_V5) { + if (in_cred_union->cred_type == CC_CRED_V5) { cc_credentials_v5_compat *compat_v5creds = in_cred_union->cred.pV5Cred; cc_credentials_v5_t *v5creds = NULL; @@ -1072,26 +825,7 @@ cc_uint32 cci_cred_union_compare_to_credentials_union (const cred_union if (!out_equal ) { err = cci_check_error (ccErrBadParam); } if (!err) { - if (in_cred_union_compat->cred_type == CC_CRED_V4 && - in_credentials_union->version == cc_credentials_v4) { - cc_credentials_v4_compat *old_creds_v4 = in_cred_union_compat->cred.pV4Cred; - cc_credentials_v4_t *new_creds_v4 = in_credentials_union->credentials.credentials_v4; - - if (old_creds_v4 && new_creds_v4 && - !strcmp (old_creds_v4->principal, - new_creds_v4->principal) && - !strcmp (old_creds_v4->principal_instance, - new_creds_v4->principal_instance) && - !strcmp (old_creds_v4->service, - new_creds_v4->service) && - !strcmp (old_creds_v4->service_instance, - new_creds_v4->service_instance) && - !strcmp (old_creds_v4->realm, new_creds_v4->realm) && - (old_creds_v4->issue_date == (long) new_creds_v4->issue_date)) { - equal = 1; - } - - } else if (in_cred_union_compat->cred_type == CC_CRED_V5 && + if (in_cred_union_compat->cred_type == CC_CRED_V5 && in_credentials_union->version == cc_credentials_v5) { cc_credentials_v5_compat *old_creds_v5 = in_cred_union_compat->cred.pV5Cred; cc_credentials_v5_t *new_creds_v5 = in_credentials_union->credentials.credentials_v5; diff --git a/src/ccapi/lib/ccapi_v2.c b/src/ccapi/lib/ccapi_v2.c index 8a831d796..ae9b790b0 100644 --- a/src/ccapi/lib/ccapi_v2.c +++ b/src/ccapi/lib/ccapi_v2.c @@ -44,10 +44,7 @@ static cc_int32 cci_remap_version (cc_int32 in_v2_version, if (!out_v3_version) { err = cci_check_error (ccErrBadParam); } if (!err) { - if (in_v2_version == CC_CRED_V4) { - *out_v3_version = cc_credentials_v4; - - } else if (in_v2_version == CC_CRED_V5) { + if (in_v2_version == CC_CRED_V5) { *out_v3_version = cc_credentials_v5; } else { @@ -450,10 +447,7 @@ cc_result cc_get_cred_version (apiCB *in_context, } if (!err) { - if (compat_version == cc_credentials_v4) { - *out_version = CC_CRED_V4; - - } else if (compat_version == cc_credentials_v5) { + if (compat_version == cc_credentials_v5) { *out_version = CC_CRED_V5; } else { @@ -642,10 +636,6 @@ cc_result cc_seq_fetch_NCs_next (apiCB *in_context, if (!out_ccache ) { err = cci_check_error (ccErrBadParam); } if (!in_iterator) { err = cci_check_error (ccErrBadParam); } - /* CCache iterators need to return some ccaches twice (when v3 ccache has - * two kinds of credentials). To do that, we return such ccaches twice - * v4 first, then v5. */ - if (!err) { err = cci_ccache_iterator_get_saved_ccache_name (iterator, &saved_ccache_name); @@ -674,25 +664,7 @@ cc_result cc_seq_fetch_NCs_next (apiCB *in_context, } if (!err) { - if (version == cc_credentials_v4_v5) { - cc_string_t name = NULL; - - err = cci_ccache_set_compat_version (ccache, cc_credentials_v4); - - if (!err) { - err = ccapi_ccache_get_name (ccache, &name); - } - - if (!err) { - err = cci_ccache_iterator_set_saved_ccache_name (iterator, - name->data); - } - - if (name) { ccapi_string_release (name); } - - } else { - err = cci_ccache_set_compat_version (ccache, version); - } + err = cci_ccache_set_compat_version (ccache, version); } } } diff --git a/src/ccapi/lib/win/OldCC/ccapi.h b/src/ccapi/lib/win/OldCC/ccapi.h index 82512771a..4d6f3faaf 100644 --- a/src/ccapi/lib/win/OldCC/ccapi.h +++ b/src/ccapi/lib/win/OldCC/ccapi.h @@ -80,7 +80,6 @@ enum __MIDL_ccapi_0003 { KRB_NAME_SZ = 40, KRB_INSTANCE_SZ = 40, KRB_REALM_SZ = 40, - MAX_V4_CRED_LEN = 1250 } ; typedef struct _NC_INFO { @@ -95,24 +94,6 @@ typedef struct _NC_INFO_LIST /* [size_is] */ NC_INFO *info; } NC_INFO_LIST; -typedef struct _V4_CRED - { - CC_UCHAR kversion; - CC_CHAR principal[ 41 ]; - CC_CHAR principal_instance[ 41 ]; - CC_CHAR service[ 41 ]; - CC_CHAR service_instance[ 41 ]; - CC_CHAR realm[ 41 ]; - CC_UCHAR session_key[ 8 ]; - CC_INT32 kvno; - CC_INT32 str_to_key; - CC_INT32 issue_date; - CC_INT32 lifetime; - CC_UINT32 address; - CC_INT32 ticket_sz; - CC_UCHAR ticket[ 1250 ]; - } V4_CRED; - typedef struct _CC_DATA { CC_UINT32 type; @@ -145,7 +126,6 @@ typedef struct _V5_CRED typedef /* [switch_type] */ union _CRED_PTR_UNION { - /* [case()] */ V4_CRED *pV4Cred; /* [case()] */ V5_CRED *pV5Cred; } CRED_PTR_UNION; diff --git a/src/ccapi/server/ccs_ccache.c b/src/ccapi/server/ccs_ccache.c index 65c59e4be..645380a7b 100644 --- a/src/ccapi/server/ccs_ccache.c +++ b/src/ccapi/server/ccs_ccache.c @@ -31,19 +31,16 @@ struct ccs_ccache_d { ccs_lock_state_t lock_state; cc_uint32 creds_version; char *name; - char *v4_principal; char *v5_principal; cc_time_t last_default_time; cc_time_t last_changed_time; - cc_uint32 kdc_time_offset_v4_valid; - cc_time_t kdc_time_offset_v4; cc_uint32 kdc_time_offset_v5_valid; cc_time_t kdc_time_offset_v5; ccs_credentials_list_t credentials; ccs_callback_array_t change_callbacks; }; -struct ccs_ccache_d ccs_ccache_initializer = { NULL, NULL, 0, NULL, NULL, NULL, 0, 0, 0, 0, 0, 0, NULL, NULL }; +struct ccs_ccache_d ccs_ccache_initializer = { NULL, NULL, 0, NULL, NULL, 0, 0, 0, 0, NULL, NULL }; /* ------------------------------------------------------------------------ */ @@ -88,11 +85,7 @@ cc_int32 ccs_ccache_new (ccs_ccache_t *out_ccache, if (!err) { ccache->creds_version = in_creds_version; - if (ccache->creds_version == cc_credentials_v4) { - ccache->v4_principal = strdup (in_principal); - if (!ccache->v4_principal) { err = cci_check_error (ccErrNoMem); } - - } else if (ccache->creds_version == cc_credentials_v5) { + if (ccache->creds_version == cc_credentials_v5) { ccache->v5_principal = strdup (in_principal); if (!ccache->v5_principal) { err = cci_check_error (ccErrNoMem); } @@ -147,7 +140,6 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, const char *in_principal) { cc_int32 err = ccNoError; - char *v4_principal = NULL; char *v5_principal = NULL; ccs_credentials_list_t credentials = NULL; @@ -158,11 +150,7 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, if (!err) { io_ccache->creds_version = in_creds_version; - if (io_ccache->creds_version == cc_credentials_v4) { - v4_principal = strdup (in_principal); - if (!v4_principal) { err = cci_check_error (ccErrNoMem); } - - } else if (io_ccache->creds_version == cc_credentials_v5) { + if (io_ccache->creds_version == cc_credentials_v5) { v5_principal = strdup (in_principal); if (!v5_principal) { err = cci_check_error (ccErrNoMem); } @@ -176,15 +164,9 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, } if (!err) { - io_ccache->kdc_time_offset_v4 = 0; - io_ccache->kdc_time_offset_v4_valid = 0; io_ccache->kdc_time_offset_v5 = 0; io_ccache->kdc_time_offset_v5_valid = 0; - if (io_ccache->v4_principal) { free (io_ccache->v4_principal); } - io_ccache->v4_principal = v4_principal; - v4_principal = NULL; /* take ownership */ - if (io_ccache->v5_principal) { free (io_ccache->v5_principal); } io_ccache->v5_principal = v5_principal; v5_principal = NULL; /* take ownership */ @@ -196,7 +178,6 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache, err = ccs_ccache_changed (io_ccache, io_cache_collection); } - free (v4_principal); free (v5_principal); ccs_credentials_list_release (credentials); @@ -250,7 +231,6 @@ cc_int32 ccs_ccache_release (ccs_ccache_t io_ccache) cci_identifier_release (io_ccache->identifier); ccs_lock_state_release (io_ccache->lock_state); free (io_ccache->name); - free (io_ccache->v4_principal); free (io_ccache->v5_principal); ccs_credentials_list_release (io_ccache->credentials); ccs_callback_array_release (io_ccache->change_callbacks); @@ -607,15 +587,8 @@ static cc_int32 ccs_ccache_get_principal (ccs_ccache_t io_ccache, err = krb5int_ipc_stream_read_uint32 (in_request_data, &version); } - if (!err && version == cc_credentials_v4_v5) { - err = cci_check_error (ccErrBadCredentialsVersion); - } - if (!err) { - if (version == cc_credentials_v4) { - err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v4_principal); - - } else if (version == cc_credentials_v5) { + if (version == cc_credentials_v5) { err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v5_principal); } else { @@ -652,16 +625,7 @@ static cc_int32 ccs_ccache_set_principal (ccs_ccache_t io_ccache, if (!err) { /* reset KDC time offsets because they are per-KDC */ - if (version == cc_credentials_v4) { - io_ccache->kdc_time_offset_v4 = 0; - io_ccache->kdc_time_offset_v4_valid = 0; - - if (io_ccache->v4_principal) { free (io_ccache->v4_principal); } - io_ccache->v4_principal = principal; - principal = NULL; /* take ownership */ - - - } else if (version == cc_credentials_v5) { + if (version == cc_credentials_v5) { io_ccache->kdc_time_offset_v5 = 0; io_ccache->kdc_time_offset_v5_valid = 0; @@ -998,14 +962,7 @@ static cc_int32 ccs_ccache_get_kdc_time_offset (ccs_ccache_t io_ccache } if (!err) { - if (cred_vers == cc_credentials_v4) { - if (io_ccache->kdc_time_offset_v4_valid) { - err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->kdc_time_offset_v4); - } else { - err = cci_check_error (ccErrTimeOffsetNotSet); - } - - } else if (cred_vers == cc_credentials_v5) { + if (cred_vers == cc_credentials_v5) { if (io_ccache->kdc_time_offset_v5_valid) { err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->kdc_time_offset_v5); } else { @@ -1040,13 +997,7 @@ static cc_int32 ccs_ccache_set_kdc_time_offset (ccs_ccache_t io_ccache } if (!err) { - if (cred_vers == cc_credentials_v4) { - err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v4); - - if (!err) { - io_ccache->kdc_time_offset_v4_valid = 1; - } - } else if (cred_vers == cc_credentials_v5) { + if (cred_vers == cc_credentials_v5) { err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v5); if (!err) { @@ -1084,11 +1035,7 @@ static cc_int32 ccs_ccache_clear_kdc_time_offset (ccs_ccache_t io_ccac } if (!err) { - if (cred_vers == cc_credentials_v4) { - io_ccache->kdc_time_offset_v4 = 0; - io_ccache->kdc_time_offset_v4_valid = 0; - - } else if (cred_vers == cc_credentials_v5) { + if (cred_vers == cc_credentials_v5) { io_ccache->kdc_time_offset_v5 = 0; io_ccache->kdc_time_offset_v5_valid = 0; diff --git a/src/ccapi/test/test_ccapi_ccache.c b/src/ccapi/test/test_ccapi_ccache.c index a0fd84af1..fe63e6710 100644 --- a/src/ccapi/test/test_ccapi_ccache.c +++ b/src/ccapi/test/test_ccapi_ccache.c @@ -303,18 +303,6 @@ int check_cc_ccache_get_credentials_version(void) { failure_count++; } - // try it with added v4 creds - if (!err) { - err = cc_ccache_set_principal(ccache, cc_credentials_v4, "foo@BAR.ORG"); - } - if (!err) { - check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4_v5, ccNoError, "v5 with v4 creds added"); - } - else { - log_error("cc_ccache_set_principal failed, can't complete test"); - failure_count++; - } - if (ccache) { cc_ccache_destroy(ccache); ccache = NULL; @@ -322,35 +310,6 @@ int check_cc_ccache_get_credentials_version(void) { err = ccNoError; - // try one created with v4 creds - if (!err) { - err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAR.ORG", &ccache); - } - if (!err) { - check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4, ccNoError, "v4 creds"); - } - else { - log_error("cc_context_create_new_ccache failed, can't complete test"); - failure_count++; - } - - // try it with added v5 creds - if (!err) { - err = cc_ccache_set_principal(ccache, cc_credentials_v5, "foo@BAR.ORG"); - } - if (!err) { - check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4_v5, ccNoError, "v4 with v5 creds added"); - } - else { - log_error("cc_ccache_set_principal failed, can't complete test"); - failure_count++; - } - - if (ccache) { - cc_ccache_destroy(ccache); - ccache = NULL; - } - if (context) { cc_context_release(context); } #endif /* cc_ccache_get_credentials_version */ @@ -582,31 +541,13 @@ int check_cc_ccache_get_principal(void) { log_error("cc_context_create_new_ccache failed, can't complete test"); failure_count++; } - if (ccache) { - cc_ccache_release(ccache); - ccache = NULL; - } - // try with krb4 principal - if (!err) { - err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo.BAR@BAZ.ORG", &ccache); - } - if (!err) { - check_once_cc_ccache_get_principal(ccache, cc_credentials_v4, "foo.BAR@BAZ.ORG", ccNoError, "trying to get krb4 princ for krb4 ccache"); - } - else { - log_error("cc_context_create_new_ccache failed, can't complete test"); - failure_count++; - } - - // try with bad param - if (!err) { - // cc_ccache_t doesn't have any concept of the difference between a v4 and v5 principal - check_once_cc_ccache_get_principal(ccache, cc_credentials_v4_v5, "foo.BAR@BAZ.ORG", - ccErrBadCredentialsVersion, - "passing cc_credentials_v4_v5 (shouldn't be allowed)"); - check_once_cc_ccache_get_principal(ccache, cc_credentials_v5, NULL, ccErrBadParam, "passed null out param"); - } + // try with bad param + if (!err) { + check_once_cc_ccache_get_principal(ccache, cc_credentials_v5, + NULL, ccErrBadParam, + "passed null out param"); + } if (ccache) { cc_ccache_release(ccache); @@ -643,99 +584,33 @@ int check_cc_ccache_set_principal(void) { err = destroy_all_ccaches(context); } - // bad params - if (!err) { - err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); - } - if (!err) { - check_once_cc_ccache_set_principal(ccache, cc_credentials_v4_v5, "foo/BAZ@BAR.ORG", ccErrBadCredentialsVersion, "cc_credentials_v4_v5 (not allowed)"); - check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, NULL, ccErrBadParam, "NULL principal"); - } - else { - log_error("cc_context_create_new_ccache failed, can't complete test"); - failure_count++; - } - if (ccache) { - cc_ccache_destroy(ccache); - ccache = NULL; - } - - - // empty ccache - - // replace v5 only ccache's principal - if (!err) { - err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); - } - if (!err) { - check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, "replace v5 only ccache's principal (empty ccache)"); - } - else { - log_error("cc_context_create_new_ccache failed, can't complete test"); - failure_count++; - } - if (ccache) { - cc_ccache_destroy(ccache); - ccache = NULL; - } - - // add v4 principal to v5 only ccache - if (!err) { - err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache); - } - if (!err) { - check_once_cc_ccache_set_principal(ccache, cc_credentials_v4, "foo.BAZ@BAR.ORG", ccNoError, "add v4 principal to v5 only ccache (empty ccache)"); - } - else { - log_error("cc_context_create_new_ccache failed, can't complete test"); - failure_count++; - } - if (ccache) { - cc_ccache_destroy(ccache); - ccache = NULL; - } - - // replace v4 only ccache's principal - if (!err) { - err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAZ.ORG", &ccache); - } - if (!err) { - check_once_cc_ccache_set_principal(ccache, cc_credentials_v4, "foo.BAZ@BAR.ORG", ccNoError, "replace v4 only ccache's principal (empty ccache)"); - } - else { - log_error("cc_context_create_new_ccache failed, can't complete test"); - failure_count++; - } - if (ccache) { - cc_ccache_destroy(ccache); - ccache = NULL; - } - - // add v5 principal to v4 only ccache - if (!err) { - err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAZ.ORG", &ccache); - } - if (!err) { - check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, "add v5 principal to v4 only ccache (empty ccache)"); - } - else { - log_error("cc_context_create_new_ccache failed, can't complete test"); - failure_count++; - } - if (ccache) { - cc_ccache_destroy(ccache); - ccache = NULL; - } - - // with credentials - - // replace v5 only ccache's principal - - // add v4 principal to v5 only ccache - - // replace v4 only ccache's principal - - // add v5 principal to v4 only ccache + // replace v5 only ccache's principal + if (!err) { + err = cc_context_create_new_ccache(context, cc_credentials_v5, + "foo@BAZ.ORG", &ccache); + } + if (!err) { + check_once_cc_ccache_set_principal( + ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, + "replace v5 only ccache's principal (empty ccache)"); + } + else { + log_error( + "cc_context_create_new_ccache failed, can't complete test"); + failure_count++; + } + + // bad params + if (!err) { + check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, + NULL, ccErrBadParam, + "NULL principal"); + } + + if (ccache) { + cc_ccache_destroy(ccache); + ccache = NULL; + } if (context) { err = destroy_all_ccaches(context); @@ -847,21 +722,6 @@ int check_cc_ccache_store_credentials(void) { if (&creds_union) { release_v5_creds_union(&creds_union); } - // bad creds version - if (!err) { - err = new_v5_creds_union(&creds_union, "BAR.ORG"); - } - - if (!err) { - creds_union.version = cc_credentials_v4_v5; - check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4_v5 creds (invalid) into a ccache with only v5 princ"); - creds_union.version = cc_credentials_v4; - check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4 creds into a ccache with only v5 princ"); - creds_union.version = cc_credentials_v5; - } - - if (&creds_union) { release_v5_creds_union(&creds_union); } - // non-existent ccache if (ccache) { err = cc_ccache_get_name(ccache, &name); @@ -1809,21 +1669,10 @@ int check_cc_ccache_get_kdc_time_offset(void) { err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, time_offset); } if (!err) { - check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, &time_offset, ccNoError, "offset set for v5 but not v4"); - } - if (!err) { - check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4, &time_offset, ccErrTimeOffsetNotSet, "asking for v4 offset when only v5 is set"); - } - if (!err) { - err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, time_offset); - } - if (!err) { - check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4, &time_offset, ccNoError, "asking for v4 offset when v4 and v5 are set"); + check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, &time_offset, ccNoError, "offset set for v5"); } - check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, NULL, ccErrBadParam, "NULL time_offset out param"); - check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4_v5, &time_offset, ccErrBadCredentialsVersion, "v4_v5 creds_vers in param (invalid)"); if (ccache) { cc_ccache_release(ccache); } @@ -1900,9 +1749,6 @@ int check_cc_ccache_set_kdc_time_offset(void) { } check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0, ccNoError, "first time setting offset (v5)"); - check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0, ccNoError, "first time setting offset (v4)"); - - check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4_v5, 0, ccErrBadCredentialsVersion, "invalid creds_vers (v4_v5)"); if (ccache) { cc_ccache_release(ccache); } @@ -1978,15 +1824,10 @@ int check_cc_ccache_clear_kdc_time_offset(void) { } check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v5, ccNoError, "clearing an offset that was never set (v5)"); - check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4, ccNoError, "clearing an offset that was never set (v4)"); err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0); - err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0); check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v5, ccNoError, "clearing v5"); - check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4, ccNoError, "clearing v4"); - - check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4_v5, ccErrBadCredentialsVersion, "bad in param creds vers (v4_v5)"); if (ccache) { cc_ccache_release(ccache); } diff --git a/src/ccapi/test/test_ccapi_constants.c b/src/ccapi/test/test_ccapi_constants.c index 9f2aecbc2..57377262e 100644 --- a/src/ccapi/test/test_ccapi_constants.c +++ b/src/ccapi/test/test_ccapi_constants.c @@ -46,9 +46,7 @@ int check_constants(void) { /* Credentials versions */ - check_int(cc_credentials_v4, 1); check_int(cc_credentials_v5, 2); - check_int(cc_credentials_v4_v5, (cc_credentials_v4 | cc_credentials_v5)); /* Lock types */ diff --git a/src/ccapi/test/test_ccapi_context.c b/src/ccapi/test/test_ccapi_context.c index 09feebee5..2dc348ea0 100644 --- a/src/ccapi/test/test_ccapi_context.c +++ b/src/ccapi/test/test_ccapi_context.c @@ -583,7 +583,6 @@ int check_cc_context_create_ccache(void) { // try bad parameters err = check_once_cc_context_create_ccache(context, NULL, cc_credentials_v5, "foo@BAR.ORG", &ccache, ccErrBadParam, "NULL name"); // NULL name - err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache } @@ -681,7 +680,6 @@ int check_cc_context_create_default_ccache(void) { } // try bad parameters - err = check_once_cc_context_create_default_ccache(context, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache } @@ -773,7 +771,6 @@ int check_cc_context_create_new_ccache(void) { if (ccache) { cc_ccache_release(ccache); } // try bad parameters - err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache } diff --git a/src/ccapi/test/test_ccapi_v2.c b/src/ccapi/test/test_ccapi_v2.c index e0205ce46..c71bb45a8 100644 --- a/src/ccapi/test/test_ccapi_v2.c +++ b/src/ccapi/test/test_ccapi_v2.c @@ -45,20 +45,6 @@ static int compare_v5_creds_unions_compat(const cred_union *a, const cred_union a->cred.pV5Cred->starttime == b->cred.pV5Cred->starttime) { retval = 0; } - } else if (a->cred_type == CC_CRED_V4) { - if (!strcmp (a->cred.pV4Cred->principal, - b->cred.pV4Cred->principal) && - !strcmp (a->cred.pV4Cred->principal_instance, - b->cred.pV4Cred->principal_instance) && - !strcmp (a->cred.pV4Cred->service, - b->cred.pV4Cred->service) && - !strcmp (a->cred.pV4Cred->service_instance, - b->cred.pV4Cred->service_instance) && - !strcmp (a->cred.pV4Cred->realm, - b->cred.pV4Cred->realm) && - a->cred.pV4Cred->issue_date == b->cred.pV4Cred->issue_date) { - retval = 0; - } } } @@ -361,10 +347,6 @@ int check_cc_open(void) { err = check_once_cc_open(context, name, CC_CRED_V5, &ccache, CC_NOERROR, NULL); } - // check version - if (!err) { - err = check_once_cc_open(context, name, CC_CRED_V4, &ccache, CC_ERR_CRED_VERSION, NULL); - } // try bad parameters err = check_once_cc_open(context, NULL, CC_CRED_V5, &ccache, CC_BAD_PARM, NULL); err = check_once_cc_open(context, name, CC_CRED_V5, NULL, CC_BAD_PARM, NULL); @@ -681,17 +663,6 @@ int check_cc_get_cred_version(void) { err = CC_NOERROR; - // try one created with v4 creds - if (!err) { - err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V4, 0, &ccache); - } - if (!err) { - check_once_cc_get_cred_version(context, ccache, CC_CRED_V4, CC_NOERROR, "v4 creds"); - } - else { - log_error("cc_context_create_new_ccache failed, can't complete test"); - failure_count++; - } if (ccache) { cc_destroy(context, &ccache); ccache = NULL; @@ -840,7 +811,6 @@ int check_cc_get_principal(void) { apiCB *context = NULL; ccache_p *ccache = NULL; char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5"; - char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4"; BEGIN_TEST("cc_get_principal"); @@ -866,18 +836,6 @@ int check_cc_get_principal(void) { ccache = NULL; } - // try with krb4 principal - if (!err) { - err = cc_create(context, name_v4, "foo.BAR@BAZ.ORG", CC_CRED_V4, 0, &ccache); - } - if (!err) { - check_once_cc_get_principal(context, ccache, "foo.BAR@BAZ.ORG", CC_NOERROR, "trying to get krb4 princ for krb4 ccache"); - } - else { - log_error("cc_create failed, can't complete test"); - failure_count++; - } - // try with bad param if (!err) { check_once_cc_get_principal(context, ccache, NULL, CC_BAD_PARM, "passed null out param"); @@ -945,7 +903,6 @@ int check_cc_set_principal(void) { apiCB *context = NULL; ccache_p *ccache = NULL; char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5"; - char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4"; BEGIN_TEST("cc_set_principal"); @@ -972,37 +929,6 @@ int check_cc_set_principal(void) { ccache = NULL; } - // empty ccache - - // replace v5 ccache's principal - if (!err) { - err = cc_create(context, name_v5, "foo@BAZ.ORG", CC_CRED_V5, 0, &ccache); - } - if (!err) { - check_once_cc_set_principal(context, ccache, CC_CRED_V5, "foo/BAZ@BAR.ORG", CC_NOERROR, "replace v5 only ccache's principal (empty ccache)"); - check_once_cc_set_principal(context, ccache, CC_CRED_V4, "foo.BAZ@BAR.ORG", CC_ERR_CRED_VERSION, "replace v5 principal with v4"); - } - else { - log_error("cc_create failed, can't complete test"); - failure_count++; - } - if (ccache) { - cc_destroy(context, &ccache); - ccache = NULL; - } - - // replace v4 ccache's principal - if (!err) { - err = cc_create(context, name_v4, "foo@BAZ.ORG", CC_CRED_V4, 0, &ccache); - } - if (!err) { - check_once_cc_set_principal(context, ccache, CC_CRED_V4, "foo.BAZ@BAR.ORG", CC_NOERROR, "replace v4 only ccache's principal (empty ccache)"); - check_once_cc_set_principal(context, ccache, CC_CRED_V5, "foo/BAZ@BAR.ORG", CC_ERR_CRED_VERSION, "replace v4 principal with v5"); - } - else { - log_error("cc_create failed, can't complete test"); - failure_count++; - } if (ccache) { cc_destroy(context, &ccache); ccache = NULL; @@ -1102,21 +1028,6 @@ int check_cc_store(void) { } } - // bad creds version - if (!err) { - err = new_v5_creds_union_compat(&creds_union, "BAR.ORG"); - - if (!err) { - creds_union.cred_type = CC_CRED_MAX; - check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "CC_CRED_MAX (invalid) into a ccache with only v5 princ"); - creds_union.cred_type = CC_CRED_V4; - check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "v4 creds into a v5 ccache"); - creds_union.cred_type = CC_CRED_V5; - - release_v5_creds_union_compat(&creds_union); - } - } - // non-existent ccache if (ccache) { err = cc_get_name(context, ccache, &name); diff --git a/src/include/CredentialsCache.h b/src/include/CredentialsCache.h index 54f71a1a0..c18159639 100644 --- a/src/include/CredentialsCache.h +++ b/src/include/CredentialsCache.h @@ -104,19 +104,19 @@ extern "C" { * \section introduction Introduction * * This is the specification for an API which provides Credentials Cache - * services for both Kerberos v5 and v4. The idea behind this API is that - * multiple Kerberos implementations can share a single collection of - * credentials caches, mediated by this API specification. On the Mac OS - * and Microsoft Windows platforms this will allow single-login, even when - * more than one Kerberos shared library is in use on a particular system. + * services for Kerberos v5 (and previously v4). The idea behind this API is + * that multiple Kerberos implementations can share a single collection of + * credentials caches, mediated by this API specification. On the Mac OS and + * Microsoft Windows platforms this will allow single-login, even when more + * than one Kerberos shared library is in use on a particular system. * * Abstractly, a credentials cache collection contains one or more credentials * caches, or ccaches. A ccache is uniquely identified by its name, which is * a string internal to the API and not intended to be presented to users. * The user presentable identifier of a ccache is its principal. * - * Unlike the previous versions of the API, version 3 of the API stores both - * Kerberos v4 and v5 credentials in the same ccache. + * Unlike the previous versions of the API, version 3 of the API could store + * credentials for multiple Kerberos versions in the same ccache. * * At any given time, one ccache is the "default" ccache. The exact meaning * of a default ccache is OS-specific; refer to implementation requirements @@ -305,10 +305,9 @@ enum { /*! * Credentials versions * - * These constants are used in several places in the API to discern - * between Kerberos v4 and Kerberos v5. Not all values are valid - * inputs and outputs for all functions; function specifications - * below detail the allowed values. + * These constants are used in several places in the API to discern Kerberos + * versions. Not all values are valid inputs and outputs for all functions; + * function specifications below detail the allowed values. * * Kerberos version constants will always be a bit-field, and can be * tested as such; for example the following test will tell you if @@ -317,9 +316,9 @@ enum { * if ((ccacheVersion & cc_credentials_v5) != 0) */ enum cc_credential_versions { - cc_credentials_v4 = 1, + /* cc_credentials_v4 = 1, */ cc_credentials_v5 = 2, - cc_credentials_v4_v5 = 3 + /* cc_credentials_v4_v5 = 3 */ }; /*! @@ -353,29 +352,6 @@ enum cc_lock_modes { cc_lock_block = 1 }; -/*! - * Sizes of fields in cc_credentials_v4_t. - */ -enum { - /* Make sure all of these are multiples of four (for alignment sanity) */ - cc_v4_name_size = 40, - cc_v4_instance_size = 40, - cc_v4_realm_size = 40, - cc_v4_ticket_size = 1254, - cc_v4_key_size = 8 -}; - -/*! - * String to key type (Kerberos v4 only) - */ -enum cc_string_to_key_type { - cc_v4_stk_afs = 0, - cc_v4_stk_des = 1, - cc_v4_stk_columbia_special = 2, - cc_v4_stk_krb5 = 3, - cc_v4_stk_unknown = 4 -}; - /*!@}*/ /*! @@ -482,15 +458,13 @@ typedef cc_ccache_iterator_d *cc_ccache_iterator_t; * \defgroup cc_credentials_reference cc_credentials_t Overview * @{ * - * The cc_credentials_t type is used to store a single set of - * credentials for either Kerberos v4 or Kerberos v5. In addition - * to its only function, release(), it contains a pointer to a - * cc_credentials_union structure. A cc_credentials_union + * The cc_credentials_t type is used to store a single set of credentials for + * Kerberos v5. In addition to its only function, release(), it contains a + * pointer to a cc_credentials_union structure. A cc_credentials_union * structure contains an integer of the enumerator type - * cc_credentials_version, which is either #cc_credentials_v4 or - * #cc_credentials_v5, and a pointer union, which contains either a - * cc_credentials_v4_t pointer or a cc_credentials_v5_t pointer, - * depending on the value in version. + * cc_credentials_version, which is #cc_credentials_v5, and a pointer union, + * which contains a cc_credentials_v5_t pointer, depending on the value in + * version. * * Variables of the type cc_credentials_t are allocated by the CCAPI * implementation, and should be released with their release() @@ -501,43 +475,6 @@ typedef cc_ccache_iterator_d *cc_ccache_iterator_t; * For API functions see \ref cc_credentials_f. */ -/*! - * If a cc_credentials_t variable is used to store Kerberos v4 - * credentials, then credentials.credentials_v4 points to a v4 - * credentials structure. This structure is similar to a - * krb4 API CREDENTIALS structure. - */ -struct cc_credentials_v4_t { - cc_uint32 version; - /*! A properly quoted string representation of the first component of the client principal */ - char principal [cc_v4_name_size]; - /*! A properly quoted string representation of the second component of the client principal */ - char principal_instance [cc_v4_instance_size]; - /*! A properly quoted string representation of the first component of the service principal */ - char service [cc_v4_name_size]; - /*! A properly quoted string representation of the second component of the service principal */ - char service_instance [cc_v4_instance_size]; - /*! A properly quoted string representation of the realm */ - char realm [cc_v4_realm_size]; - /*! Ticket session key */ - unsigned char session_key [cc_v4_key_size]; - /*! Key version number */ - cc_int32 kvno; - /*! String to key type used. See cc_string_to_key_type for valid values */ - cc_int32 string_to_key_type; - /*! Time when the ticket was issued */ - cc_time_t issue_date; - /*! Ticket lifetime in 5 minute units */ - cc_int32 lifetime; - /*! IPv4 address of the client the ticket was issued for */ - cc_uint32 address; - /*! Ticket size (no greater than cc_v4_ticket_size) */ - cc_int32 ticket_size; - /*! Ticket data */ - unsigned char ticket [cc_v4_ticket_size]; -}; -typedef struct cc_credentials_v4_t cc_credentials_v4_t; - /*! * The CCAPI data structure. This structure is similar to a krb5_data structure. * In a v5 credentials structure, cc_data structures are used @@ -602,8 +539,6 @@ struct cc_credentials_union { cc_uint32 version; /*! The credentials. */ union { - /*! If \a version is #cc_credentials_v4, a pointer to a cc_credentials_v4_t. */ - cc_credentials_v4_t* credentials_v4; /*! If \a version is #cc_credentials_v5, a pointer to a cc_credentials_v5_t. */ cc_credentials_v5_t* credentials_v5; } credentials; @@ -781,13 +716,11 @@ struct cc_context_f { * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_context_create_ccache(): Create a new ccache. * - * Create a new credentials cache. The ccache is uniquely identified by its name. - * The principal given is also associated with the ccache and the credentials - * version specified. A NULL name is not allowed (and ccErrBadName is returned - * if one is passed in). Only cc_credentials_v4 and cc_credentials_v5 are valid - * input values for cred_vers. If you want to create a new ccache that will hold - * both versions of credentials, call cc_context_create_ccache() with one version, - * and then cc_ccache_set_principal() with the other version. + * Create a new credentials cache. The ccache is uniquely identified by + * its name. The principal given is also associated with the ccache and + * the credentials version specified. A NULL name is not allowed (and + * ccErrBadName is returned if one is passed in). Only cc_credentials_v5 + * can be an input value for cred_vers. * * If you want to create a new ccache (with a unique name), you should use * cc_context_create_new_ccache() instead. If you want to create or reinitialize @@ -814,10 +747,9 @@ struct cc_context_f { * cc_context_get_default_ccache_name()); see the description of * cc_context_get_default_ccache_name() for details. * - * The principal should be a C string containing an unparsed Kerberos principal - * in the format of the appropriate Kerberos version, i.e. \verbatim foo.bar/@BAZ - * \endverbatim for Kerberos v4 and \verbatim foo/bar/@BAZ \endverbatim - * for Kerberos v5. + * The principal should be a C string containing an unparsed Kerberos + * principal in the format of the appropriate Kerberos version, + * i.e. \verbatim foo/bar/@BAZ \endverbatim for Kerberos v5. */ cc_int32 (*create_ccache) (cc_context_t in_context, const char *in_name, @@ -1014,14 +946,11 @@ struct cc_ccache_f { * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_get_credentials_version(): Get the credentials version of a ccache. * - * cc_ccache_get_credentials_version() returns one value of the enumerated type - * cc_credentials_vers. The possible return values are #cc_credentials_v4 - * (if ccache's v4 principal has been set), #cc_credentials_v5 - * (if ccache's v5 principal has been set), or #cc_credentials_v4_v5 - * (if both ccache's v4 and v5 principals have been set). A ccache's - * principal is set with one of cc_context_create_ccache(), - * cc_context_create_new_ccache(), cc_context_create_default_ccache(), or - * cc_ccache_set_principal(). + * cc_ccache_get_credentials_version() returns one value of the enumerated + * type cc_credentials_vers. The return value is #cc_credentials_v5 (if + * ccache's v5 principal has been set). A ccache's principal is set with + * one of cc_context_create_ccache(), cc_context_create_new_ccache(), + * cc_context_create_default_ccache(), or cc_ccache_set_principal(). */ cc_int32 (*get_credentials_version) (cc_ccache_t in_ccache, cc_uint32 *out_credentials_version); @@ -1046,10 +975,7 @@ struct cc_ccache_f { * * Return the principal for the ccache that was set via cc_context_create_ccache(), * cc_context_create_default_ccache(), cc_context_create_new_ccache(), or - * cc_ccache_set_principal(). Principals for v4 and v5 are separate, but - * should be kept synchronized for each ccache; they can be retrieved by - * passing cc_credentials_v4 or cc_credentials_v5 in cred_vers. Passing - * cc_credentials_v4_v5 will result in the error ccErrBadCredentialsVersion. + * cc_ccache_set_principal(). */ cc_int32 (*get_principal) (cc_ccache_t in_ccache, cc_uint32 in_credentials_version, @@ -1063,10 +989,7 @@ struct cc_ccache_f { * \return On success, #ccNoError. On failure, an error code representing the failure. * \brief \b cc_ccache_set_principal(): Set the principal of a ccache. * - * Set the a principal for ccache. The v4 and v5 principals can be set - * independently, but they should always be kept equal, up to differences in - * string representation between v4 and v5. Passing cc_credentials_v4_v5 in - * cred_vers will result in the error ccErrBadCredentialsVersion. + * Set the a principal for ccache. */ cc_int32 (*set_principal) (cc_ccache_t io_ccache, cc_uint32 in_credentials_version, @@ -1083,12 +1006,13 @@ struct cc_ccache_f { * See the description of the credentials types for the meaning of * cc_credentials_union fields. * - * Before credentials of a specific credential type can be stored in a ccache, - * the corresponding principal version has to be set. For example, before you can - * store Kerberos v4 credentials in a ccache, the Kerberos v4 principal has to be set - * either by cc_context_create_ccache(), cc_context_create_default_ccache(), - * cc_context_create_new_ccache(), or cc_ccache_set_principal(); likewise for - * Kerberos v5. Otherwise, ccErrBadCredentialsVersion is returned. + * Before credentials of a specific credential type can be stored in a + * ccache, the corresponding principal version has to be set. That is, + * before you can store Kerberos v5 credentials in a ccache, the Kerberos + * v5 principal has to be set either by cc_context_create_ccache(), + * cc_context_create_default_ccache(), cc_context_create_new_ccache(), or + * cc_ccache_set_principal(); otherwise, ccErrBadCredentialsVersion is + * returned. */ cc_int32 (*store_credentials) (cc_ccache_t io_ccache, const cc_credentials_union *in_credentials_union); diff --git a/src/include/CredentialsCache2.h b/src/include/CredentialsCache2.h index b3b48996d..9e5a346ac 100644 --- a/src/include/CredentialsCache2.h +++ b/src/include/CredentialsCache2.h @@ -85,36 +85,13 @@ typedef struct cc_credentials_v5_compat { cc_data_compat** authdata; } cc_credentials_v5_compat; -enum { - MAX_V4_CRED_LEN = 1250 -}; - enum { KRB_NAME_SZ = 40, KRB_INSTANCE_SZ = 40, KRB_REALM_SZ = 40 }; -typedef struct cc_credentials_v4_compat { - unsigned char kversion; - char principal[KRB_NAME_SZ+1]; - char principal_instance[KRB_INSTANCE_SZ+1]; - char service[KRB_NAME_SZ+1]; - char service_instance[KRB_INSTANCE_SZ+1]; - char realm[KRB_REALM_SZ+1]; - unsigned char session_key[8]; - cc_int32 kvno; - cc_int32 str_to_key; - long issue_date; - cc_int32 lifetime; - cc_uint32 address; - cc_int32 ticket_sz; - unsigned char ticket[MAX_V4_CRED_LEN]; - unsigned long oops; -} cc_credentials_v4_compat; - typedef union cred_ptr_union_compat { - cc_credentials_v4_compat* pV4Cred; cc_credentials_v5_compat* pV5Cred; } cred_ptr_union_compat; @@ -135,7 +112,6 @@ typedef struct infoNC infoNC; /* Some old type names */ -typedef cc_credentials_v4_compat V4Cred_type; typedef cc_credentials_v5_compat cc_creds; struct ccache_cit; typedef struct ccache_cit ccache_cit; @@ -166,7 +142,7 @@ enum { enum { CC_CRED_UNKNOWN, - CC_CRED_V4, + /* CC_CRED_V4, */ CC_CRED_V5, CC_CRED_MAX }; diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c index db69eebb4..cac61e45c 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc.c +++ b/src/lib/krb5/ccache/ccapi/stdcc.c @@ -589,7 +589,6 @@ krb5_stdccv3_next_cred (krb5_context context, err = stdccv3_setup (context, ccapi_data); } - /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ while (!err) { err = cc_credentials_iterator_next (iterator, &credentials); @@ -836,7 +835,6 @@ krb5_stdccv3_remove (krb5_context context, &iterator); } - /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ while (!err && !found) { cc_credentials_t credentials = NULL; diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c index 62d847c18..1f2a3865c 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc_util.c +++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c @@ -521,9 +521,6 @@ cred_union_release (cc_credentials_union *in_cred_union) free (cv5); - } else if (in_cred_union->version == cc_credentials_v4 && - in_cred_union->credentials.credentials_v4) { - free (in_cred_union->credentials.credentials_v4); } free ((cc_credentials_union *) in_cred_union); } @@ -892,10 +889,7 @@ static void deep_free_cc_v5_creds (cc_creds* creds) static void deep_free_cc_creds (cred_union creds) { - if (creds.cred_type == CC_CRED_V4) { - /* we shouldn't get this, of course */ - free (creds.cred.pV4Cred); - } else if (creds.cred_type == CC_CRED_V5) { + if (creds.cred_type == CC_CRED_V5) { deep_free_cc_v5_creds (creds.cred.pV5Cred); } } diff --git a/src/windows/kfwlogon/kfwlogon.h b/src/windows/kfwlogon/kfwlogon.h index b2674573e..622d5665c 100644 --- a/src/windows/kfwlogon/kfwlogon.h +++ b/src/windows/kfwlogon/kfwlogon.h @@ -94,7 +94,7 @@ typedef int cc_int32; enum { CC_CRED_VUNKNOWN = 0, // For validation - CC_CRED_V4 = 1, + /* CC_CRED_V4 = 1, */ CC_CRED_V5 = 2, CC_CRED_VMAX = 3 // For validation }; diff --git a/src/windows/leashdll/leash-int.h b/src/windows/leashdll/leash-int.h index cb40c607c..bf6f6a08d 100644 --- a/src/windows/leashdll/leash-int.h +++ b/src/windows/leashdll/leash-int.h @@ -182,7 +182,7 @@ typedef int cc_int32; enum { CC_CRED_VUNKNOWN = 0, // For validation - CC_CRED_V4 = 1, + /* CC_CRED_V4 = 1, */ CC_CRED_V5 = 2, CC_CRED_VMAX = 3 // For validation }; diff --git a/src/windows/lib/cacheapi.h b/src/windows/lib/cacheapi.h index b30857810..9aab4a098 100644 --- a/src/windows/lib/cacheapi.h +++ b/src/windows/lib/cacheapi.h @@ -126,52 +126,8 @@ typedef struct _cc_creds { cc_data ** authdata; } cc_creds; -// begin V4 stuff -// use an enumerated type so all callers infer the same meaning -// these values are what krbv4win uses internally. -#define STK_AFS 0 -#define STK_DES 1 - -// K4 uses a MAX_KTXT_LEN of 1250 to hold a ticket -// K95 uses 256 -// To be safe I'll use the larger number, but a factor of 5!!! -#define MAX_V4_CRED_LEN 1250 - -// V4 Credentials - -enum { - KRB_NAME_SZ = 40, - KRB_INSTANCE_SZ = 40, - KRB_REALM_SZ = 40 -}; - -typedef struct cc_V4credential { - unsigned char kversion; - char principal[KRB_NAME_SZ + 1]; - char principal_instance[KRB_INSTANCE_SZ + 1]; - char service[KRB_NAME_SZ + 1]; - char service_instance[KRB_INSTANCE_SZ + 1]; - char realm[KRB_REALM_SZ + 1]; - unsigned char session_key[8]; - cc_int32 kvno; // k95 used BYTE skvno - cc_int32 str_to_key; // k4 infers dynamically, k95 stores - long issue_date; // k95 called this issue_time - cc_int32 lifetime; // k95 used LONG expiration_time - cc_uint32 address; // IP Address of local host - cc_int32 ticket_sz; // k95 used BYTE, k4 ktext uses int to hold up to 1250 - unsigned char ticket[MAX_V4_CRED_LEN]; - unsigned long oops; // zero to catch runaways -} V4Cred_type; - -enum { - CC_CRED_VUNKNOWN = 0, // For validation - CC_CRED_V4 = 1, - CC_CRED_V5 = 2, - CC_CRED_VMAX = 3 // For validation -}; typedef union cred_ptr_union_type { - V4Cred_type* pV4Cred; cc_creds* pV5Cred; } cred_ptr_union; @@ -223,16 +179,15 @@ cc_get_change_time( ** create, open, close, destroy, get_principal, get_cred_version, & ** lock_request ** -** Multiple NCs are allowed within the main cache. Each has a Name -** and kerberos version # (V4 or V5). Caller gets "ccache_ptr"s for -** NCs. +** Multiple NCs are allowed within the main cache. Each has a Name and +** kerberos version # (V5). Caller gets "ccache_ptr"s for NCs. */ CCACHE_API cc_create( apiCB* cc_ctx, // > DLL's primary control structure const char* name, // > name of cache to be [destroyed if exists, then] created const char* principal, - cc_int32 vers, // > ticket version (CC_CRED_V4 or CC_CRED_V5) + cc_int32 vers, // > ticket version (CC_CRED_V5) cc_uint32 cc_flags, // > options ccache_p** ccache_ptr // < NC control structure ); @@ -241,7 +196,7 @@ CCACHE_API cc_open( apiCB* cc_ctx, // > DLL's primary control structure const char* name, // > name of pre-created cache - cc_int32 vers, // > ticket version (CC_CRED_V4 or CC_CRED_V5) + cc_int32 vers, // > ticket version (CC_CRED_V5) cc_uint32 cc_flags, // > options ccache_p** ccache_ptr // < NC control structure );