rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2496b50d00
krb5/Remove-Kerberos-v4-support-vestiges-from-ccapi.patch
Robbie Harwood fd463aed6a Don't warn in kadmin when no policy is specified 
Do not always canonicalize enterprise principals
2020-01-03 11:36:21 -05:00

1605 lines
63 KiB
Diff
Raw Blame History

From 34aa9b5889a48f05b4dec33d40e72e97390118a5 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 4 Apr 2019 14:37:38 -0400
Subject: [PATCH] Remove Kerberos v4 support vestiges from ccapi
(cherry picked from commit 51395dc956ce9eef27c0d6843561d3d3828b03cd)
---
src/ccapi/common/cci_cred_union.c | 280 +------------------------
src/ccapi/lib/ccapi_v2.c | 34 +--
src/ccapi/lib/win/OldCC/ccapi.h | 20 --
src/ccapi/server/ccs_ccache.c | 69 +-----
src/ccapi/test/test_ccapi_ccache.c | 223 +++-----------------
src/ccapi/test/test_ccapi_constants.c | 2 -
src/ccapi/test/test_ccapi_context.c | 3 -
src/ccapi/test/test_ccapi_v2.c | 89 --------
src/include/CredentialsCache.h | 156 ++++----------
src/include/CredentialsCache2.h | 26 +--
src/lib/krb5/ccache/ccapi/stdcc.c | 2 -
src/lib/krb5/ccache/ccapi/stdcc_util.c | 8 +-
src/windows/kfwlogon/kfwlogon.h | 2 +-
src/windows/leashdll/leash-int.h | 2 +-
src/windows/lib/cacheapi.h | 53 +----
15 files changed, 98 insertions(+), 871 deletions(-)
diff --git a/src/ccapi/common/cci_cred_union.c b/src/ccapi/common/cci_cred_union.c
index 4c8981610..424a93dab 100644
--- a/src/ccapi/common/cci_cred_union.c
+++ b/src/ccapi/common/cci_cred_union.c
@@ -25,181 +25,6 @@
#include "cci_common.h"
-#ifdef TARGET_OS_MAC
-#pragma mark -
-#endif
-
-/* ------------------------------------------------------------------------ */
-
-static cc_uint32 cci_credentials_v4_release (cc_credentials_v4_t *io_v4creds)
-{
- cc_int32 err = ccNoError;
-
- if (!io_v4creds) { err = ccErrBadParam; }
-
- if (!err) {
- memset (io_v4creds, 0, sizeof (*io_v4creds));
- free (io_v4creds);
- }
-
- return err;
-}
-
-/* ------------------------------------------------------------------------ */
-
-static cc_uint32 cci_credentials_v4_read (cc_credentials_v4_t **out_v4creds,
- k5_ipc_stream io_stream)
-{
- cc_int32 err = ccNoError;
- cc_credentials_v4_t *v4creds = NULL;
-
- if (!io_stream ) { err = cci_check_error (ccErrBadParam); }
- if (!out_v4creds) { err = cci_check_error (ccErrBadParam); }
-
- if (!err) {
- v4creds = malloc (sizeof (*v4creds));
- if (!v4creds) { err = cci_check_error (ccErrNoMem); }
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->version);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read (io_stream, v4creds->principal, cc_v4_name_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read (io_stream, v4creds->principal_instance, cc_v4_instance_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read (io_stream, v4creds->service, cc_v4_name_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read (io_stream, v4creds->service_instance, cc_v4_instance_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read (io_stream, v4creds->realm, cc_v4_realm_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read (io_stream, v4creds->session_key, cc_v4_key_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->kvno);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->string_to_key_type);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read_time (io_stream, &v4creds->issue_date);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->lifetime);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read_uint32 (io_stream, &v4creds->address);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read_int32 (io_stream, &v4creds->ticket_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_read (io_stream, v4creds->ticket, cc_v4_ticket_size);
- }
-
- if (!err) {
- *out_v4creds = v4creds;
- v4creds = NULL;
- }
-
- free (v4creds);
-
- return cci_check_error (err);
-}
-
-/* ------------------------------------------------------------------------ */
-
-static cc_uint32 cci_credentials_v4_write (cc_credentials_v4_t *in_v4creds,
- k5_ipc_stream io_stream)
-{
- cc_int32 err = ccNoError;
-
- if (!io_stream ) { err = cci_check_error (ccErrBadParam); }
- if (!in_v4creds) { err = cci_check_error (ccErrBadParam); }
-
- if (!err) {
- err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->version);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal, cc_v4_name_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write (io_stream, in_v4creds->principal_instance, cc_v4_instance_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write (io_stream, in_v4creds->service, cc_v4_name_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write (io_stream, in_v4creds->service_instance, cc_v4_instance_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write (io_stream, in_v4creds->realm, cc_v4_realm_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write (io_stream, in_v4creds->session_key, cc_v4_key_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->kvno);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->string_to_key_type);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write_time (io_stream, in_v4creds->issue_date);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->lifetime);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write_uint32 (io_stream, in_v4creds->address);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write_int32 (io_stream, in_v4creds->ticket_size);
- }
-
- if (!err) {
- err = krb5int_ipc_stream_write (io_stream, in_v4creds->ticket, cc_v4_ticket_size);
- }
-
- return cci_check_error (err);
-}
-
-#ifdef TARGET_OS_MAC
-#pragma mark -
-#endif
-
/* ------------------------------------------------------------------------ */
static cc_uint32 cci_cc_data_contents_release (cc_data *io_ccdata)
@@ -600,9 +425,7 @@ cc_uint32 cci_credentials_union_release (cc_credentials_union *io_cred_union)
if (!io_cred_union) { err = ccErrBadParam; }
if (!err) {
- if (io_cred_union->version == cc_credentials_v4) {
- cci_credentials_v4_release (io_cred_union->credentials.credentials_v4);
- } else if (io_cred_union->version == cc_credentials_v5) {
+ if (io_cred_union->version == cc_credentials_v5) {
cci_credentials_v5_release (io_cred_union->credentials.credentials_v5);
}
free (io_cred_union);
@@ -632,11 +455,7 @@ cc_uint32 cci_credentials_union_read (cc_credentials_union **out_credentials_uni
}
if (!err) {
- if (credentials_union->version == cc_credentials_v4) {
- err = cci_credentials_v4_read (&credentials_union->credentials.credentials_v4,
- io_stream);
-
- } else if (credentials_union->version == cc_credentials_v5) {
+ if (credentials_union->version == cc_credentials_v5) {
err = cci_credentials_v5_read (&credentials_union->credentials.credentials_v5,
io_stream);
@@ -671,11 +490,7 @@ cc_uint32 cci_credentials_union_write (const cc_credentials_union *in_credential
}
if (!err) {
- if (in_credentials_union->version == cc_credentials_v4) {
- err = cci_credentials_v4_write (in_credentials_union->credentials.credentials_v4,
- io_stream);
-
- } else if (in_credentials_union->version == cc_credentials_v5) {
+ if (in_credentials_union->version == cc_credentials_v5) {
err = cci_credentials_v5_write (in_credentials_union->credentials.credentials_v5,
io_stream);
@@ -714,11 +529,7 @@ cc_uint32 cci_cred_union_release (cred_union *io_cred_union)
if (!io_cred_union) { err = ccErrBadParam; }
if (!err) {
- if (io_cred_union->cred_type == CC_CRED_V4) {
- memset (io_cred_union->cred.pV4Cred, 0, sizeof (cc_credentials_v4_compat));
- free (io_cred_union->cred.pV4Cred);
-
- } else if (io_cred_union->cred_type == CC_CRED_V5) {
+ if (io_cred_union->cred_type == CC_CRED_V5) {
free (io_cred_union->cred.pV5Cred->client);
free (io_cred_union->cred.pV5Cred->server);
cci_cc_data_contents_release (&io_cred_union->cred.pV5Cred->keyblock);
@@ -829,36 +640,7 @@ cc_uint32 cci_credentials_union_to_cred_union (const cc_credentials_union *in_c
}
if (!err) {
- if (in_credentials_union->version == cc_credentials_v4) {
- cc_credentials_v4_compat *compat_v4creds = NULL;
-
- compat_v4creds = malloc (sizeof (*compat_v4creds));
- if (!compat_v4creds) { err = cci_check_error (ccErrNoMem); }
-
- if (!err) {
- cc_credentials_v4_t *v4creds = in_credentials_union->credentials.credentials_v4;
-
- compat_cred_union->cred_type = CC_CRED_V4;
- compat_cred_union->cred.pV4Cred = compat_v4creds;
-
- compat_v4creds->kversion = v4creds->version;
- strncpy (compat_v4creds->principal, v4creds->principal, KRB_NAME_SZ+1);
- strncpy (compat_v4creds->principal_instance, v4creds->principal_instance, KRB_INSTANCE_SZ+1);
- strncpy (compat_v4creds->service, v4creds->service, KRB_NAME_SZ+1);
- strncpy (compat_v4creds->service_instance, v4creds->service_instance, KRB_INSTANCE_SZ+1);
- strncpy (compat_v4creds->realm, v4creds->realm, KRB_REALM_SZ+1);
- memcpy (compat_v4creds->session_key, v4creds->session_key, 8);
- compat_v4creds->kvno = v4creds->kvno;
- compat_v4creds->str_to_key = v4creds->string_to_key_type;
- compat_v4creds->issue_date = v4creds->issue_date;
- compat_v4creds->lifetime = v4creds->lifetime;
- compat_v4creds->address = v4creds->address;
- compat_v4creds->ticket_sz = v4creds->ticket_size;
- memcpy (compat_v4creds->ticket, v4creds->ticket, MAX_V4_CRED_LEN);
- compat_v4creds->oops = 0;
- }
-
- } else if (in_credentials_union->version == cc_credentials_v5) {
+ if (in_credentials_union->version == cc_credentials_v5) {
cc_credentials_v5_t *v5creds = in_credentials_union->credentials.credentials_v5;
cc_credentials_v5_compat *compat_v5creds = NULL;
@@ -951,36 +733,7 @@ cc_uint32 cci_cred_union_to_credentials_union (const cred_union *in_cred_un
}
if (!err) {
- if (in_cred_union->cred_type == CC_CRED_V4) {
- cc_credentials_v4_compat *compat_v4creds = in_cred_union->cred.pV4Cred;
- cc_credentials_v4_t *v4creds = NULL;
-
- if (!err) {
- v4creds = malloc (sizeof (*v4creds));
- if (!v4creds) { err = cci_check_error (ccErrNoMem); }
- }
-
- if (!err) {
- creds_union->version = cc_credentials_v4;
- creds_union->credentials.credentials_v4 = v4creds;
-
- v4creds->version = compat_v4creds->kversion;
- strncpy (v4creds->principal, compat_v4creds->principal, KRB_NAME_SZ);
- strncpy (v4creds->principal_instance, compat_v4creds->principal_instance, KRB_INSTANCE_SZ);
- strncpy (v4creds->service, compat_v4creds->service, KRB_NAME_SZ);
- strncpy (v4creds->service_instance, compat_v4creds->service_instance, KRB_INSTANCE_SZ);
- strncpy (v4creds->realm, compat_v4creds->realm, KRB_REALM_SZ);
- memcpy (v4creds->session_key, compat_v4creds->session_key, 8);
- v4creds->kvno = compat_v4creds->kvno;
- v4creds->string_to_key_type = compat_v4creds->str_to_key;
- v4creds->issue_date = compat_v4creds->issue_date;
- v4creds->lifetime = compat_v4creds->lifetime;
- v4creds->address = compat_v4creds->address;
- v4creds->ticket_size = compat_v4creds->ticket_sz;
- memcpy (v4creds->ticket, compat_v4creds->ticket, MAX_V4_CRED_LEN);
- }
-
- } else if (in_cred_union->cred_type == CC_CRED_V5) {
+ if (in_cred_union->cred_type == CC_CRED_V5) {
cc_credentials_v5_compat *compat_v5creds = in_cred_union->cred.pV5Cred;
cc_credentials_v5_t *v5creds = NULL;
@@ -1072,26 +825,7 @@ cc_uint32 cci_cred_union_compare_to_credentials_union (const cred_union
if (!out_equal ) { err = cci_check_error (ccErrBadParam); }
if (!err) {
- if (in_cred_union_compat->cred_type == CC_CRED_V4 &&
- in_credentials_union->version == cc_credentials_v4) {
- cc_credentials_v4_compat *old_creds_v4 = in_cred_union_compat->cred.pV4Cred;
- cc_credentials_v4_t *new_creds_v4 = in_credentials_union->credentials.credentials_v4;
-
- if (old_creds_v4 && new_creds_v4 &&
- !strcmp (old_creds_v4->principal,
- new_creds_v4->principal) &&
- !strcmp (old_creds_v4->principal_instance,
- new_creds_v4->principal_instance) &&
- !strcmp (old_creds_v4->service,
- new_creds_v4->service) &&
- !strcmp (old_creds_v4->service_instance,
- new_creds_v4->service_instance) &&
- !strcmp (old_creds_v4->realm, new_creds_v4->realm) &&
- (old_creds_v4->issue_date == (long) new_creds_v4->issue_date)) {
- equal = 1;
- }
-
- } else if (in_cred_union_compat->cred_type == CC_CRED_V5 &&
+ if (in_cred_union_compat->cred_type == CC_CRED_V5 &&
in_credentials_union->version == cc_credentials_v5) {
cc_credentials_v5_compat *old_creds_v5 = in_cred_union_compat->cred.pV5Cred;
cc_credentials_v5_t *new_creds_v5 = in_credentials_union->credentials.credentials_v5;
diff --git a/src/ccapi/lib/ccapi_v2.c b/src/ccapi/lib/ccapi_v2.c
index 8a831d796..ae9b790b0 100644
--- a/src/ccapi/lib/ccapi_v2.c
+++ b/src/ccapi/lib/ccapi_v2.c
@@ -44,10 +44,7 @@ static cc_int32 cci_remap_version (cc_int32 in_v2_version,
if (!out_v3_version) { err = cci_check_error (ccErrBadParam); }
if (!err) {
- if (in_v2_version == CC_CRED_V4) {
- *out_v3_version = cc_credentials_v4;
-
- } else if (in_v2_version == CC_CRED_V5) {
+ if (in_v2_version == CC_CRED_V5) {
*out_v3_version = cc_credentials_v5;
} else {
@@ -450,10 +447,7 @@ cc_result cc_get_cred_version (apiCB *in_context,
}
if (!err) {
- if (compat_version == cc_credentials_v4) {
- *out_version = CC_CRED_V4;
-
- } else if (compat_version == cc_credentials_v5) {
+ if (compat_version == cc_credentials_v5) {
*out_version = CC_CRED_V5;
} else {
@@ -642,10 +636,6 @@ cc_result cc_seq_fetch_NCs_next (apiCB *in_context,
if (!out_ccache ) { err = cci_check_error (ccErrBadParam); }
if (!in_iterator) { err = cci_check_error (ccErrBadParam); }
- /* CCache iterators need to return some ccaches twice (when v3 ccache has
- * two kinds of credentials). To do that, we return such ccaches twice
- * v4 first, then v5. */
-
if (!err) {
err = cci_ccache_iterator_get_saved_ccache_name (iterator,
&saved_ccache_name);
@@ -674,25 +664,7 @@ cc_result cc_seq_fetch_NCs_next (apiCB *in_context,
}
if (!err) {
- if (version == cc_credentials_v4_v5) {
- cc_string_t name = NULL;
-
- err = cci_ccache_set_compat_version (ccache, cc_credentials_v4);
-
- if (!err) {
- err = ccapi_ccache_get_name (ccache, &name);
- }
-
- if (!err) {
- err = cci_ccache_iterator_set_saved_ccache_name (iterator,
- name->data);
- }
-
- if (name) { ccapi_string_release (name); }
-
- } else {
- err = cci_ccache_set_compat_version (ccache, version);
- }
+ err = cci_ccache_set_compat_version (ccache, version);
}
}
}
diff --git a/src/ccapi/lib/win/OldCC/ccapi.h b/src/ccapi/lib/win/OldCC/ccapi.h
index 82512771a..4d6f3faaf 100644
--- a/src/ccapi/lib/win/OldCC/ccapi.h
+++ b/src/ccapi/lib/win/OldCC/ccapi.h
@@ -80,7 +80,6 @@ enum __MIDL_ccapi_0003
{ KRB_NAME_SZ = 40,
KRB_INSTANCE_SZ = 40,
KRB_REALM_SZ = 40,
- MAX_V4_CRED_LEN = 1250
} ;
typedef struct _NC_INFO
{
@@ -95,24 +94,6 @@ typedef struct _NC_INFO_LIST
/* [size_is] */ NC_INFO *info;
} NC_INFO_LIST;
-typedef struct _V4_CRED
- {
- CC_UCHAR kversion;
- CC_CHAR principal[ 41 ];
- CC_CHAR principal_instance[ 41 ];
- CC_CHAR service[ 41 ];
- CC_CHAR service_instance[ 41 ];
- CC_CHAR realm[ 41 ];
- CC_UCHAR session_key[ 8 ];
- CC_INT32 kvno;
- CC_INT32 str_to_key;
- CC_INT32 issue_date;
- CC_INT32 lifetime;
- CC_UINT32 address;
- CC_INT32 ticket_sz;
- CC_UCHAR ticket[ 1250 ];
- } V4_CRED;
-
typedef struct _CC_DATA
{
CC_UINT32 type;
@@ -145,7 +126,6 @@ typedef struct _V5_CRED
typedef /* [switch_type] */ union _CRED_PTR_UNION
{
- /* [case()] */ V4_CRED *pV4Cred;
/* [case()] */ V5_CRED *pV5Cred;
} CRED_PTR_UNION;
diff --git a/src/ccapi/server/ccs_ccache.c b/src/ccapi/server/ccs_ccache.c
index 65c59e4be..645380a7b 100644
--- a/src/ccapi/server/ccs_ccache.c
+++ b/src/ccapi/server/ccs_ccache.c
@@ -31,19 +31,16 @@ struct ccs_ccache_d {
ccs_lock_state_t lock_state;
cc_uint32 creds_version;
char *name;
- char *v4_principal;
char *v5_principal;
cc_time_t last_default_time;
cc_time_t last_changed_time;
- cc_uint32 kdc_time_offset_v4_valid;
- cc_time_t kdc_time_offset_v4;
cc_uint32 kdc_time_offset_v5_valid;
cc_time_t kdc_time_offset_v5;
ccs_credentials_list_t credentials;
ccs_callback_array_t change_callbacks;
};
-struct ccs_ccache_d ccs_ccache_initializer = { NULL, NULL, 0, NULL, NULL, NULL, 0, 0, 0, 0, 0, 0, NULL, NULL };
+struct ccs_ccache_d ccs_ccache_initializer = { NULL, NULL, 0, NULL, NULL, 0, 0, 0, 0, NULL, NULL };
/* ------------------------------------------------------------------------ */
@@ -88,11 +85,7 @@ cc_int32 ccs_ccache_new (ccs_ccache_t *out_ccache,
if (!err) {
ccache->creds_version = in_creds_version;
- if (ccache->creds_version == cc_credentials_v4) {
- ccache->v4_principal = strdup (in_principal);
- if (!ccache->v4_principal) { err = cci_check_error (ccErrNoMem); }
-
- } else if (ccache->creds_version == cc_credentials_v5) {
+ if (ccache->creds_version == cc_credentials_v5) {
ccache->v5_principal = strdup (in_principal);
if (!ccache->v5_principal) { err = cci_check_error (ccErrNoMem); }
@@ -147,7 +140,6 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache,
const char *in_principal)
{
cc_int32 err = ccNoError;
- char *v4_principal = NULL;
char *v5_principal = NULL;
ccs_credentials_list_t credentials = NULL;
@@ -158,11 +150,7 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache,
if (!err) {
io_ccache->creds_version = in_creds_version;
- if (io_ccache->creds_version == cc_credentials_v4) {
- v4_principal = strdup (in_principal);
- if (!v4_principal) { err = cci_check_error (ccErrNoMem); }
-
- } else if (io_ccache->creds_version == cc_credentials_v5) {
+ if (io_ccache->creds_version == cc_credentials_v5) {
v5_principal = strdup (in_principal);
if (!v5_principal) { err = cci_check_error (ccErrNoMem); }
@@ -176,15 +164,9 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache,
}
if (!err) {
- io_ccache->kdc_time_offset_v4 = 0;
- io_ccache->kdc_time_offset_v4_valid = 0;
io_ccache->kdc_time_offset_v5 = 0;
io_ccache->kdc_time_offset_v5_valid = 0;
- if (io_ccache->v4_principal) { free (io_ccache->v4_principal); }
- io_ccache->v4_principal = v4_principal;
- v4_principal = NULL; /* take ownership */
-
if (io_ccache->v5_principal) { free (io_ccache->v5_principal); }
io_ccache->v5_principal = v5_principal;
v5_principal = NULL; /* take ownership */
@@ -196,7 +178,6 @@ cc_int32 ccs_ccache_reset (ccs_ccache_t io_ccache,
err = ccs_ccache_changed (io_ccache, io_cache_collection);
}
- free (v4_principal);
free (v5_principal);
ccs_credentials_list_release (credentials);
@@ -250,7 +231,6 @@ cc_int32 ccs_ccache_release (ccs_ccache_t io_ccache)
cci_identifier_release (io_ccache->identifier);
ccs_lock_state_release (io_ccache->lock_state);
free (io_ccache->name);
- free (io_ccache->v4_principal);
free (io_ccache->v5_principal);
ccs_credentials_list_release (io_ccache->credentials);
ccs_callback_array_release (io_ccache->change_callbacks);
@@ -607,15 +587,8 @@ static cc_int32 ccs_ccache_get_principal (ccs_ccache_t io_ccache,
err = krb5int_ipc_stream_read_uint32 (in_request_data, &version);
}
- if (!err && version == cc_credentials_v4_v5) {
- err = cci_check_error (ccErrBadCredentialsVersion);
- }
-
if (!err) {
- if (version == cc_credentials_v4) {
- err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v4_principal);
-
- } else if (version == cc_credentials_v5) {
+ if (version == cc_credentials_v5) {
err = krb5int_ipc_stream_write_string (io_reply_data, io_ccache->v5_principal);
} else {
@@ -652,16 +625,7 @@ static cc_int32 ccs_ccache_set_principal (ccs_ccache_t io_ccache,
if (!err) {
/* reset KDC time offsets because they are per-KDC */
- if (version == cc_credentials_v4) {
- io_ccache->kdc_time_offset_v4 = 0;
- io_ccache->kdc_time_offset_v4_valid = 0;
-
- if (io_ccache->v4_principal) { free (io_ccache->v4_principal); }
- io_ccache->v4_principal = principal;
- principal = NULL; /* take ownership */
-
-
- } else if (version == cc_credentials_v5) {
+ if (version == cc_credentials_v5) {
io_ccache->kdc_time_offset_v5 = 0;
io_ccache->kdc_time_offset_v5_valid = 0;
@@ -998,14 +962,7 @@ static cc_int32 ccs_ccache_get_kdc_time_offset (ccs_ccache_t io_ccache
}
if (!err) {
- if (cred_vers == cc_credentials_v4) {
- if (io_ccache->kdc_time_offset_v4_valid) {
- err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->kdc_time_offset_v4);
- } else {
- err = cci_check_error (ccErrTimeOffsetNotSet);
- }
-
- } else if (cred_vers == cc_credentials_v5) {
+ if (cred_vers == cc_credentials_v5) {
if (io_ccache->kdc_time_offset_v5_valid) {
err = krb5int_ipc_stream_write_time (io_reply_data, io_ccache->kdc_time_offset_v5);
} else {
@@ -1040,13 +997,7 @@ static cc_int32 ccs_ccache_set_kdc_time_offset (ccs_ccache_t io_ccache
}
if (!err) {
- if (cred_vers == cc_credentials_v4) {
- err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v4);
-
- if (!err) {
- io_ccache->kdc_time_offset_v4_valid = 1;
- }
- } else if (cred_vers == cc_credentials_v5) {
+ if (cred_vers == cc_credentials_v5) {
err = krb5int_ipc_stream_read_time (in_request_data, &io_ccache->kdc_time_offset_v5);
if (!err) {
@@ -1084,11 +1035,7 @@ static cc_int32 ccs_ccache_clear_kdc_time_offset (ccs_ccache_t io_ccac
}
if (!err) {
- if (cred_vers == cc_credentials_v4) {
- io_ccache->kdc_time_offset_v4 = 0;
- io_ccache->kdc_time_offset_v4_valid = 0;
-
- } else if (cred_vers == cc_credentials_v5) {
+ if (cred_vers == cc_credentials_v5) {
io_ccache->kdc_time_offset_v5 = 0;
io_ccache->kdc_time_offset_v5_valid = 0;
diff --git a/src/ccapi/test/test_ccapi_ccache.c b/src/ccapi/test/test_ccapi_ccache.c
index a0fd84af1..fe63e6710 100644
--- a/src/ccapi/test/test_ccapi_ccache.c
+++ b/src/ccapi/test/test_ccapi_ccache.c
@@ -303,18 +303,6 @@ int check_cc_ccache_get_credentials_version(void) {
failure_count++;
}
- // try it with added v4 creds
- if (!err) {
- err = cc_ccache_set_principal(ccache, cc_credentials_v4, "foo@BAR.ORG");
- }
- if (!err) {
- check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4_v5, ccNoError, "v5 with v4 creds added");
- }
- else {
- log_error("cc_ccache_set_principal failed, can't complete test");
- failure_count++;
- }
-
if (ccache) {
cc_ccache_destroy(ccache);
ccache = NULL;
@@ -322,35 +310,6 @@ int check_cc_ccache_get_credentials_version(void) {
err = ccNoError;
- // try one created with v4 creds
- if (!err) {
- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAR.ORG", &ccache);
- }
- if (!err) {
- check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4, ccNoError, "v4 creds");
- }
- else {
- log_error("cc_context_create_new_ccache failed, can't complete test");
- failure_count++;
- }
-
- // try it with added v5 creds
- if (!err) {
- err = cc_ccache_set_principal(ccache, cc_credentials_v5, "foo@BAR.ORG");
- }
- if (!err) {
- check_once_cc_ccache_get_credentials_version(ccache, cc_credentials_v4_v5, ccNoError, "v4 with v5 creds added");
- }
- else {
- log_error("cc_ccache_set_principal failed, can't complete test");
- failure_count++;
- }
-
- if (ccache) {
- cc_ccache_destroy(ccache);
- ccache = NULL;
- }
-
if (context) { cc_context_release(context); }
#endif /* cc_ccache_get_credentials_version */
@@ -582,31 +541,13 @@ int check_cc_ccache_get_principal(void) {
log_error("cc_context_create_new_ccache failed, can't complete test");
failure_count++;
}
- if (ccache) {
- cc_ccache_release(ccache);
- ccache = NULL;
- }
- // try with krb4 principal
- if (!err) {
- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo.BAR@BAZ.ORG", &ccache);
- }
- if (!err) {
- check_once_cc_ccache_get_principal(ccache, cc_credentials_v4, "foo.BAR@BAZ.ORG", ccNoError, "trying to get krb4 princ for krb4 ccache");
- }
- else {
- log_error("cc_context_create_new_ccache failed, can't complete test");
- failure_count++;
- }
-
- // try with bad param
- if (!err) {
- // cc_ccache_t doesn't have any concept of the difference between a v4 and v5 principal
- check_once_cc_ccache_get_principal(ccache, cc_credentials_v4_v5, "foo.BAR@BAZ.ORG",
- ccErrBadCredentialsVersion,
- "passing cc_credentials_v4_v5 (shouldn't be allowed)");
- check_once_cc_ccache_get_principal(ccache, cc_credentials_v5, NULL, ccErrBadParam, "passed null out param");
- }
+ // try with bad param
+ if (!err) {
+ check_once_cc_ccache_get_principal(ccache, cc_credentials_v5,
+ NULL, ccErrBadParam,
+ "passed null out param");
+ }
if (ccache) {
cc_ccache_release(ccache);
@@ -643,99 +584,33 @@ int check_cc_ccache_set_principal(void) {
err = destroy_all_ccaches(context);
}
- // bad params
- if (!err) {
- err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache);
- }
- if (!err) {
- check_once_cc_ccache_set_principal(ccache, cc_credentials_v4_v5, "foo/BAZ@BAR.ORG", ccErrBadCredentialsVersion, "cc_credentials_v4_v5 (not allowed)");
- check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, NULL, ccErrBadParam, "NULL principal");
- }
- else {
- log_error("cc_context_create_new_ccache failed, can't complete test");
- failure_count++;
- }
- if (ccache) {
- cc_ccache_destroy(ccache);
- ccache = NULL;
- }
+ // replace v5 only ccache's principal
+ if (!err) {
+ err = cc_context_create_new_ccache(context, cc_credentials_v5,
+ "foo@BAZ.ORG", &ccache);
+ }
+ if (!err) {
+ check_once_cc_ccache_set_principal(
+ ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError,
+ "replace v5 only ccache's principal (empty ccache)");
+ }
+ else {
+ log_error(
+ "cc_context_create_new_ccache failed, can't complete test");
+ failure_count++;
+ }
+ // bad params
+ if (!err) {
+ check_once_cc_ccache_set_principal(ccache, cc_credentials_v5,
+ NULL, ccErrBadParam,
+ "NULL principal");
+ }
- // empty ccache
-
- // replace v5 only ccache's principal
- if (!err) {
- err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache);
- }
- if (!err) {
- check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, "replace v5 only ccache's principal (empty ccache)");
- }
- else {
- log_error("cc_context_create_new_ccache failed, can't complete test");
- failure_count++;
- }
- if (ccache) {
- cc_ccache_destroy(ccache);
- ccache = NULL;
- }
-
- // add v4 principal to v5 only ccache
- if (!err) {
- err = cc_context_create_new_ccache(context, cc_credentials_v5, "foo@BAZ.ORG", &ccache);
- }
- if (!err) {
- check_once_cc_ccache_set_principal(ccache, cc_credentials_v4, "foo.BAZ@BAR.ORG", ccNoError, "add v4 principal to v5 only ccache (empty ccache)");
- }
- else {
- log_error("cc_context_create_new_ccache failed, can't complete test");
- failure_count++;
- }
- if (ccache) {
- cc_ccache_destroy(ccache);
- ccache = NULL;
- }
-
- // replace v4 only ccache's principal
- if (!err) {
- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAZ.ORG", &ccache);
- }
- if (!err) {
- check_once_cc_ccache_set_principal(ccache, cc_credentials_v4, "foo.BAZ@BAR.ORG", ccNoError, "replace v4 only ccache's principal (empty ccache)");
- }
- else {
- log_error("cc_context_create_new_ccache failed, can't complete test");
- failure_count++;
- }
- if (ccache) {
- cc_ccache_destroy(ccache);
- ccache = NULL;
- }
-
- // add v5 principal to v4 only ccache
- if (!err) {
- err = cc_context_create_new_ccache(context, cc_credentials_v4, "foo@BAZ.ORG", &ccache);
- }
- if (!err) {
- check_once_cc_ccache_set_principal(ccache, cc_credentials_v5, "foo/BAZ@BAR.ORG", ccNoError, "add v5 principal to v4 only ccache (empty ccache)");
- }
- else {
- log_error("cc_context_create_new_ccache failed, can't complete test");
- failure_count++;
- }
- if (ccache) {
- cc_ccache_destroy(ccache);
- ccache = NULL;
- }
-
- // with credentials
-
- // replace v5 only ccache's principal
-
- // add v4 principal to v5 only ccache
-
- // replace v4 only ccache's principal
-
- // add v5 principal to v4 only ccache
+ if (ccache) {
+ cc_ccache_destroy(ccache);
+ ccache = NULL;
+ }
if (context) {
err = destroy_all_ccaches(context);
@@ -847,21 +722,6 @@ int check_cc_ccache_store_credentials(void) {
if (&creds_union) { release_v5_creds_union(&creds_union); }
- // bad creds version
- if (!err) {
- err = new_v5_creds_union(&creds_union, "BAR.ORG");
- }
-
- if (!err) {
- creds_union.version = cc_credentials_v4_v5;
- check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4_v5 creds (invalid) into a ccache with only v5 princ");
- creds_union.version = cc_credentials_v4;
- check_once_cc_ccache_store_credentials(ccache, &creds_union, ccErrBadCredentialsVersion, "v4 creds into a ccache with only v5 princ");
- creds_union.version = cc_credentials_v5;
- }
-
- if (&creds_union) { release_v5_creds_union(&creds_union); }
-
// non-existent ccache
if (ccache) {
err = cc_ccache_get_name(ccache, &name);
@@ -1809,21 +1669,10 @@ int check_cc_ccache_get_kdc_time_offset(void) {
err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, time_offset);
}
if (!err) {
- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, &time_offset, ccNoError, "offset set for v5 but not v4");
+ check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, &time_offset, ccNoError, "offset set for v5");
}
- if (!err) {
- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4, &time_offset, ccErrTimeOffsetNotSet, "asking for v4 offset when only v5 is set");
- }
- if (!err) {
- err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, time_offset);
- }
- if (!err) {
- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4, &time_offset, ccNoError, "asking for v4 offset when v4 and v5 are set");
- }
-
check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v5, NULL, ccErrBadParam, "NULL time_offset out param");
- check_once_cc_ccache_get_kdc_time_offset(ccache, cc_credentials_v4_v5, &time_offset, ccErrBadCredentialsVersion, "v4_v5 creds_vers in param (invalid)");
if (ccache) { cc_ccache_release(ccache); }
@@ -1900,9 +1749,6 @@ int check_cc_ccache_set_kdc_time_offset(void) {
}
check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0, ccNoError, "first time setting offset (v5)");
- check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0, ccNoError, "first time setting offset (v4)");
-
- check_once_cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4_v5, 0, ccErrBadCredentialsVersion, "invalid creds_vers (v4_v5)");
if (ccache) { cc_ccache_release(ccache); }
@@ -1978,15 +1824,10 @@ int check_cc_ccache_clear_kdc_time_offset(void) {
}
check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v5, ccNoError, "clearing an offset that was never set (v5)");
- check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4, ccNoError, "clearing an offset that was never set (v4)");
err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v5, 0);
- err = cc_ccache_set_kdc_time_offset(ccache, cc_credentials_v4, 0);
check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v5, ccNoError, "clearing v5");
- check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4, ccNoError, "clearing v4");
-
- check_once_cc_ccache_clear_kdc_time_offset(ccache, cc_credentials_v4_v5, ccErrBadCredentialsVersion, "bad in param creds vers (v4_v5)");
if (ccache) { cc_ccache_release(ccache); }
diff --git a/src/ccapi/test/test_ccapi_constants.c b/src/ccapi/test/test_ccapi_constants.c
index 9f2aecbc2..57377262e 100644
--- a/src/ccapi/test/test_ccapi_constants.c
+++ b/src/ccapi/test/test_ccapi_constants.c
@@ -46,9 +46,7 @@ int check_constants(void) {
/* Credentials versions */
- check_int(cc_credentials_v4, 1);
check_int(cc_credentials_v5, 2);
- check_int(cc_credentials_v4_v5, (cc_credentials_v4 | cc_credentials_v5));
/* Lock types */
diff --git a/src/ccapi/test/test_ccapi_context.c b/src/ccapi/test/test_ccapi_context.c
index 09feebee5..2dc348ea0 100644
--- a/src/ccapi/test/test_ccapi_context.c
+++ b/src/ccapi/test/test_ccapi_context.c
@@ -583,7 +583,6 @@ int check_cc_context_create_ccache(void) {
// try bad parameters
err = check_once_cc_context_create_ccache(context, NULL, cc_credentials_v5, "foo@BAR.ORG", &ccache, ccErrBadParam, "NULL name"); // NULL name
- err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers
err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal
err = check_once_cc_context_create_ccache(context, "name", cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache
}
@@ -681,7 +680,6 @@ int check_cc_context_create_default_ccache(void) {
}
// try bad parameters
- err = check_once_cc_context_create_default_ccache(context, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers
err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal
err = check_once_cc_context_create_default_ccache(context, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache
}
@@ -773,7 +771,6 @@ int check_cc_context_create_new_ccache(void) {
if (ccache) { cc_ccache_release(ccache); }
// try bad parameters
- err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v4_v5, "foo@BAR.ORG", &ccache, ccErrBadCredentialsVersion, "invalid creds_vers"); // invalid creds_vers
err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, NULL, &ccache, ccErrBadParam, "NULL principal"); // NULL principal
err = check_once_cc_context_create_new_ccache(context, 1, cc_credentials_v5, "foo@BAR.ORG", NULL, ccErrBadParam, "NULL ccache"); // NULL ccache
}
diff --git a/src/ccapi/test/test_ccapi_v2.c b/src/ccapi/test/test_ccapi_v2.c
index e0205ce46..c71bb45a8 100644
--- a/src/ccapi/test/test_ccapi_v2.c
+++ b/src/ccapi/test/test_ccapi_v2.c
@@ -45,20 +45,6 @@ static int compare_v5_creds_unions_compat(const cred_union *a, const cred_union
a->cred.pV5Cred->starttime == b->cred.pV5Cred->starttime) {
retval = 0;
}
- } else if (a->cred_type == CC_CRED_V4) {
- if (!strcmp (a->cred.pV4Cred->principal,
- b->cred.pV4Cred->principal) &&
- !strcmp (a->cred.pV4Cred->principal_instance,
- b->cred.pV4Cred->principal_instance) &&
- !strcmp (a->cred.pV4Cred->service,
- b->cred.pV4Cred->service) &&
- !strcmp (a->cred.pV4Cred->service_instance,
- b->cred.pV4Cred->service_instance) &&
- !strcmp (a->cred.pV4Cred->realm,
- b->cred.pV4Cred->realm) &&
- a->cred.pV4Cred->issue_date == b->cred.pV4Cred->issue_date) {
- retval = 0;
- }
}
}
@@ -361,10 +347,6 @@ int check_cc_open(void) {
err = check_once_cc_open(context, name, CC_CRED_V5, &ccache, CC_NOERROR, NULL);
}
- // check version
- if (!err) {
- err = check_once_cc_open(context, name, CC_CRED_V4, &ccache, CC_ERR_CRED_VERSION, NULL);
- }
// try bad parameters
err = check_once_cc_open(context, NULL, CC_CRED_V5, &ccache, CC_BAD_PARM, NULL);
err = check_once_cc_open(context, name, CC_CRED_V5, NULL, CC_BAD_PARM, NULL);
@@ -681,17 +663,6 @@ int check_cc_get_cred_version(void) {
err = CC_NOERROR;
- // try one created with v4 creds
- if (!err) {
- err = cc_create(context, name, "foo@BAR.ORG", CC_CRED_V4, 0, &ccache);
- }
- if (!err) {
- check_once_cc_get_cred_version(context, ccache, CC_CRED_V4, CC_NOERROR, "v4 creds");
- }
- else {
- log_error("cc_context_create_new_ccache failed, can't complete test");
- failure_count++;
- }
if (ccache) {
cc_destroy(context, &ccache);
ccache = NULL;
@@ -840,7 +811,6 @@ int check_cc_get_principal(void) {
apiCB *context = NULL;
ccache_p *ccache = NULL;
char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5";
- char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4";
BEGIN_TEST("cc_get_principal");
@@ -866,18 +836,6 @@ int check_cc_get_principal(void) {
ccache = NULL;
}
- // try with krb4 principal
- if (!err) {
- err = cc_create(context, name_v4, "foo.BAR@BAZ.ORG", CC_CRED_V4, 0, &ccache);
- }
- if (!err) {
- check_once_cc_get_principal(context, ccache, "foo.BAR@BAZ.ORG", CC_NOERROR, "trying to get krb4 princ for krb4 ccache");
- }
- else {
- log_error("cc_create failed, can't complete test");
- failure_count++;
- }
-
// try with bad param
if (!err) {
check_once_cc_get_principal(context, ccache, NULL, CC_BAD_PARM, "passed null out param");
@@ -945,7 +903,6 @@ int check_cc_set_principal(void) {
apiCB *context = NULL;
ccache_p *ccache = NULL;
char *name_v5 = "TEST_CC_GET_PRINCIPAL_V5";
- char *name_v4 = "TEST_CC_GET_PRINCIPAL_V4";
BEGIN_TEST("cc_set_principal");
@@ -972,37 +929,6 @@ int check_cc_set_principal(void) {
ccache = NULL;
}
- // empty ccache
-
- // replace v5 ccache's principal
- if (!err) {
- err = cc_create(context, name_v5, "foo@BAZ.ORG", CC_CRED_V5, 0, &ccache);
- }
- if (!err) {
- check_once_cc_set_principal(context, ccache, CC_CRED_V5, "foo/BAZ@BAR.ORG", CC_NOERROR, "replace v5 only ccache's principal (empty ccache)");
- check_once_cc_set_principal(context, ccache, CC_CRED_V4, "foo.BAZ@BAR.ORG", CC_ERR_CRED_VERSION, "replace v5 principal with v4");
- }
- else {
- log_error("cc_create failed, can't complete test");
- failure_count++;
- }
- if (ccache) {
- cc_destroy(context, &ccache);
- ccache = NULL;
- }
-
- // replace v4 ccache's principal
- if (!err) {
- err = cc_create(context, name_v4, "foo@BAZ.ORG", CC_CRED_V4, 0, &ccache);
- }
- if (!err) {
- check_once_cc_set_principal(context, ccache, CC_CRED_V4, "foo.BAZ@BAR.ORG", CC_NOERROR, "replace v4 only ccache's principal (empty ccache)");
- check_once_cc_set_principal(context, ccache, CC_CRED_V5, "foo/BAZ@BAR.ORG", CC_ERR_CRED_VERSION, "replace v4 principal with v5");
- }
- else {
- log_error("cc_create failed, can't complete test");
- failure_count++;
- }
if (ccache) {
cc_destroy(context, &ccache);
ccache = NULL;
@@ -1102,21 +1028,6 @@ int check_cc_store(void) {
}
}
- // bad creds version
- if (!err) {
- err = new_v5_creds_union_compat(&creds_union, "BAR.ORG");
-
- if (!err) {
- creds_union.cred_type = CC_CRED_MAX;
- check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "CC_CRED_MAX (invalid) into a ccache with only v5 princ");
- creds_union.cred_type = CC_CRED_V4;
- check_once_cc_store(context, ccache, creds_union, CC_ERR_CRED_VERSION, "v4 creds into a v5 ccache");
- creds_union.cred_type = CC_CRED_V5;
-
- release_v5_creds_union_compat(&creds_union);
- }
- }
-
// non-existent ccache
if (ccache) {
err = cc_get_name(context, ccache, &name);
diff --git a/src/include/CredentialsCache.h b/src/include/CredentialsCache.h
index 54f71a1a0..c18159639 100644
--- a/src/include/CredentialsCache.h
+++ b/src/include/CredentialsCache.h
@@ -104,19 +104,19 @@ extern "C" {
* \section introduction Introduction
*
* This is the specification for an API which provides Credentials Cache
- * services for both Kerberos v5 and v4. The idea behind this API is that
- * multiple Kerberos implementations can share a single collection of
- * credentials caches, mediated by this API specification. On the Mac OS
- * and Microsoft Windows platforms this will allow single-login, even when
- * more than one Kerberos shared library is in use on a particular system.
+ * services for Kerberos v5 (and previously v4). The idea behind this API is
+ * that multiple Kerberos implementations can share a single collection of
+ * credentials caches, mediated by this API specification. On the Mac OS and
+ * Microsoft Windows platforms this will allow single-login, even when more
+ * than one Kerberos shared library is in use on a particular system.
*
* Abstractly, a credentials cache collection contains one or more credentials
* caches, or ccaches. A ccache is uniquely identified by its name, which is
* a string internal to the API and not intended to be presented to users.
* The user presentable identifier of a ccache is its principal.
*
- * Unlike the previous versions of the API, version 3 of the API stores both
- * Kerberos v4 and v5 credentials in the same ccache.
+ * Unlike the previous versions of the API, version 3 of the API could store
+ * credentials for multiple Kerberos versions in the same ccache.
*
* At any given time, one ccache is the "default" ccache. The exact meaning
* of a default ccache is OS-specific; refer to implementation requirements
@@ -305,10 +305,9 @@ enum {
/*!
* Credentials versions
*
- * These constants are used in several places in the API to discern
- * between Kerberos v4 and Kerberos v5. Not all values are valid
- * inputs and outputs for all functions; function specifications
- * below detail the allowed values.
+ * These constants are used in several places in the API to discern Kerberos
+ * versions. Not all values are valid inputs and outputs for all functions;
+ * function specifications below detail the allowed values.
*
* Kerberos version constants will always be a bit-field, and can be
* tested as such; for example the following test will tell you if
@@ -317,9 +316,9 @@ enum {
* if ((ccacheVersion & cc_credentials_v5) != 0)
*/
enum cc_credential_versions {
- cc_credentials_v4 = 1,
+ /* cc_credentials_v4 = 1, */
cc_credentials_v5 = 2,
- cc_credentials_v4_v5 = 3
+ /* cc_credentials_v4_v5 = 3 */
};
/*!
@@ -353,29 +352,6 @@ enum cc_lock_modes {
cc_lock_block = 1
};
-/*!
- * Sizes of fields in cc_credentials_v4_t.
- */
-enum {
- /* Make sure all of these are multiples of four (for alignment sanity) */
- cc_v4_name_size = 40,
- cc_v4_instance_size = 40,
- cc_v4_realm_size = 40,
- cc_v4_ticket_size = 1254,
- cc_v4_key_size = 8
-};
-
-/*!
- * String to key type (Kerberos v4 only)
- */
-enum cc_string_to_key_type {
- cc_v4_stk_afs = 0,
- cc_v4_stk_des = 1,
- cc_v4_stk_columbia_special = 2,
- cc_v4_stk_krb5 = 3,
- cc_v4_stk_unknown = 4
-};
-
/*!@}*/
/*!
@@ -482,15 +458,13 @@ typedef cc_ccache_iterator_d *cc_ccache_iterator_t;
* \defgroup cc_credentials_reference cc_credentials_t Overview
* @{
*
- * The cc_credentials_t type is used to store a single set of
- * credentials for either Kerberos v4 or Kerberos v5. In addition
- * to its only function, release(), it contains a pointer to a
- * cc_credentials_union structure. A cc_credentials_union
+ * The cc_credentials_t type is used to store a single set of credentials for
+ * Kerberos v5. In addition to its only function, release(), it contains a
+ * pointer to a cc_credentials_union structure. A cc_credentials_union
* structure contains an integer of the enumerator type
- * cc_credentials_version, which is either #cc_credentials_v4 or
- * #cc_credentials_v5, and a pointer union, which contains either a
- * cc_credentials_v4_t pointer or a cc_credentials_v5_t pointer,
- * depending on the value in version.
+ * cc_credentials_version, which is #cc_credentials_v5, and a pointer union,
+ * which contains a cc_credentials_v5_t pointer, depending on the value in
+ * version.
*
* Variables of the type cc_credentials_t are allocated by the CCAPI
* implementation, and should be released with their release()
@@ -501,43 +475,6 @@ typedef cc_ccache_iterator_d *cc_ccache_iterator_t;
* For API functions see \ref cc_credentials_f.
*/
-/*!
- * If a cc_credentials_t variable is used to store Kerberos v4
- * credentials, then credentials.credentials_v4 points to a v4
- * credentials structure. This structure is similar to a
- * krb4 API CREDENTIALS structure.
- */
-struct cc_credentials_v4_t {
- cc_uint32 version;
- /*! A properly quoted string representation of the first component of the client principal */
- char principal [cc_v4_name_size];
- /*! A properly quoted string representation of the second component of the client principal */
- char principal_instance [cc_v4_instance_size];
- /*! A properly quoted string representation of the first component of the service principal */
- char service [cc_v4_name_size];
- /*! A properly quoted string representation of the second component of the service principal */
- char service_instance [cc_v4_instance_size];
- /*! A properly quoted string representation of the realm */
- char realm [cc_v4_realm_size];
- /*! Ticket session key */
- unsigned char session_key [cc_v4_key_size];
- /*! Key version number */
- cc_int32 kvno;
- /*! String to key type used. See cc_string_to_key_type for valid values */
- cc_int32 string_to_key_type;
- /*! Time when the ticket was issued */
- cc_time_t issue_date;
- /*! Ticket lifetime in 5 minute units */
- cc_int32 lifetime;
- /*! IPv4 address of the client the ticket was issued for */
- cc_uint32 address;
- /*! Ticket size (no greater than cc_v4_ticket_size) */
- cc_int32 ticket_size;
- /*! Ticket data */
- unsigned char ticket [cc_v4_ticket_size];
-};
-typedef struct cc_credentials_v4_t cc_credentials_v4_t;
-
/*!
* The CCAPI data structure. This structure is similar to a krb5_data structure.
* In a v5 credentials structure, cc_data structures are used
@@ -602,8 +539,6 @@ struct cc_credentials_union {
cc_uint32 version;
/*! The credentials. */
union {
- /*! If \a version is #cc_credentials_v4, a pointer to a cc_credentials_v4_t. */
- cc_credentials_v4_t* credentials_v4;
/*! If \a version is #cc_credentials_v5, a pointer to a cc_credentials_v5_t. */
cc_credentials_v5_t* credentials_v5;
} credentials;
@@ -781,13 +716,11 @@ struct cc_context_f {
* \return On success, #ccNoError. On failure, an error code representing the failure.
* \brief \b cc_context_create_ccache(): Create a new ccache.
*
- * Create a new credentials cache. The ccache is uniquely identified by its name.
- * The principal given is also associated with the ccache and the credentials
- * version specified. A NULL name is not allowed (and ccErrBadName is returned
- * if one is passed in). Only cc_credentials_v4 and cc_credentials_v5 are valid
- * input values for cred_vers. If you want to create a new ccache that will hold
- * both versions of credentials, call cc_context_create_ccache() with one version,
- * and then cc_ccache_set_principal() with the other version.
+ * Create a new credentials cache. The ccache is uniquely identified by
+ * its name. The principal given is also associated with the ccache and
+ * the credentials version specified. A NULL name is not allowed (and
+ * ccErrBadName is returned if one is passed in). Only cc_credentials_v5
+ * can be an input value for cred_vers.
*
* If you want to create a new ccache (with a unique name), you should use
* cc_context_create_new_ccache() instead. If you want to create or reinitialize
@@ -814,10 +747,9 @@ struct cc_context_f {
* cc_context_get_default_ccache_name()); see the description of
* cc_context_get_default_ccache_name() for details.
*
- * The principal should be a C string containing an unparsed Kerberos principal
- * in the format of the appropriate Kerberos version, i.e. \verbatim foo.bar/@BAZ
- * \endverbatim for Kerberos v4 and \verbatim foo/bar/@BAZ \endverbatim
- * for Kerberos v5.
+ * The principal should be a C string containing an unparsed Kerberos
+ * principal in the format of the appropriate Kerberos version,
+ * i.e. \verbatim foo/bar/@BAZ \endverbatim for Kerberos v5.
*/
cc_int32 (*create_ccache) (cc_context_t in_context,
const char *in_name,
@@ -1014,14 +946,11 @@ struct cc_ccache_f {
* \return On success, #ccNoError. On failure, an error code representing the failure.
* \brief \b cc_ccache_get_credentials_version(): Get the credentials version of a ccache.
*
- * cc_ccache_get_credentials_version() returns one value of the enumerated type
- * cc_credentials_vers. The possible return values are #cc_credentials_v4
- * (if ccache's v4 principal has been set), #cc_credentials_v5
- * (if ccache's v5 principal has been set), or #cc_credentials_v4_v5
- * (if both ccache's v4 and v5 principals have been set). A ccache's
- * principal is set with one of cc_context_create_ccache(),
- * cc_context_create_new_ccache(), cc_context_create_default_ccache(), or
- * cc_ccache_set_principal().
+ * cc_ccache_get_credentials_version() returns one value of the enumerated
+ * type cc_credentials_vers. The return value is #cc_credentials_v5 (if
+ * ccache's v5 principal has been set). A ccache's principal is set with
+ * one of cc_context_create_ccache(), cc_context_create_new_ccache(),
+ * cc_context_create_default_ccache(), or cc_ccache_set_principal().
*/
cc_int32 (*get_credentials_version) (cc_ccache_t in_ccache,
cc_uint32 *out_credentials_version);
@@ -1046,10 +975,7 @@ struct cc_ccache_f {
*
* Return the principal for the ccache that was set via cc_context_create_ccache(),
* cc_context_create_default_ccache(), cc_context_create_new_ccache(), or
- * cc_ccache_set_principal(). Principals for v4 and v5 are separate, but
- * should be kept synchronized for each ccache; they can be retrieved by
- * passing cc_credentials_v4 or cc_credentials_v5 in cred_vers. Passing
- * cc_credentials_v4_v5 will result in the error ccErrBadCredentialsVersion.
+ * cc_ccache_set_principal().
*/
cc_int32 (*get_principal) (cc_ccache_t in_ccache,
cc_uint32 in_credentials_version,
@@ -1063,10 +989,7 @@ struct cc_ccache_f {
* \return On success, #ccNoError. On failure, an error code representing the failure.
* \brief \b cc_ccache_set_principal(): Set the principal of a ccache.
*
- * Set the a principal for ccache. The v4 and v5 principals can be set
- * independently, but they should always be kept equal, up to differences in
- * string representation between v4 and v5. Passing cc_credentials_v4_v5 in
- * cred_vers will result in the error ccErrBadCredentialsVersion.
+ * Set the a principal for ccache.
*/
cc_int32 (*set_principal) (cc_ccache_t io_ccache,
cc_uint32 in_credentials_version,
@@ -1083,12 +1006,13 @@ struct cc_ccache_f {
* See the description of the credentials types for the meaning of
* cc_credentials_union fields.
*
- * Before credentials of a specific credential type can be stored in a ccache,
- * the corresponding principal version has to be set. For example, before you can
- * store Kerberos v4 credentials in a ccache, the Kerberos v4 principal has to be set
- * either by cc_context_create_ccache(), cc_context_create_default_ccache(),
- * cc_context_create_new_ccache(), or cc_ccache_set_principal(); likewise for
- * Kerberos v5. Otherwise, ccErrBadCredentialsVersion is returned.
+ * Before credentials of a specific credential type can be stored in a
+ * ccache, the corresponding principal version has to be set. That is,
+ * before you can store Kerberos v5 credentials in a ccache, the Kerberos
+ * v5 principal has to be set either by cc_context_create_ccache(),
+ * cc_context_create_default_ccache(), cc_context_create_new_ccache(), or
+ * cc_ccache_set_principal(); otherwise, ccErrBadCredentialsVersion is
+ * returned.
*/
cc_int32 (*store_credentials) (cc_ccache_t io_ccache,
const cc_credentials_union *in_credentials_union);
diff --git a/src/include/CredentialsCache2.h b/src/include/CredentialsCache2.h
index b3b48996d..9e5a346ac 100644
--- a/src/include/CredentialsCache2.h
+++ b/src/include/CredentialsCache2.h
@@ -85,36 +85,13 @@ typedef struct cc_credentials_v5_compat {
cc_data_compat** authdata;
} cc_credentials_v5_compat;
-enum {
- MAX_V4_CRED_LEN = 1250
-};
-
enum {
KRB_NAME_SZ = 40,
KRB_INSTANCE_SZ = 40,
KRB_REALM_SZ = 40
};
-typedef struct cc_credentials_v4_compat {
- unsigned char kversion;
- char principal[KRB_NAME_SZ+1];
- char principal_instance[KRB_INSTANCE_SZ+1];
- char service[KRB_NAME_SZ+1];
- char service_instance[KRB_INSTANCE_SZ+1];
- char realm[KRB_REALM_SZ+1];
- unsigned char session_key[8];
- cc_int32 kvno;
- cc_int32 str_to_key;
- long issue_date;
- cc_int32 lifetime;
- cc_uint32 address;
- cc_int32 ticket_sz;
- unsigned char ticket[MAX_V4_CRED_LEN];
- unsigned long oops;
-} cc_credentials_v4_compat;
-
typedef union cred_ptr_union_compat {
- cc_credentials_v4_compat* pV4Cred;
cc_credentials_v5_compat* pV5Cred;
} cred_ptr_union_compat;
@@ -135,7 +112,6 @@ typedef struct infoNC infoNC;
/* Some old type names */
-typedef cc_credentials_v4_compat V4Cred_type;
typedef cc_credentials_v5_compat cc_creds;
struct ccache_cit;
typedef struct ccache_cit ccache_cit;
@@ -166,7 +142,7 @@ enum {
enum {
CC_CRED_UNKNOWN,
- CC_CRED_V4,
+ /* CC_CRED_V4, */
CC_CRED_V5,
CC_CRED_MAX
};
diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c
index db69eebb4..cac61e45c 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc.c
+++ b/src/lib/krb5/ccache/ccapi/stdcc.c
@@ -589,7 +589,6 @@ krb5_stdccv3_next_cred (krb5_context context,
err = stdccv3_setup (context, ccapi_data);
}
- /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */
while (!err) {
err = cc_credentials_iterator_next (iterator, &credentials);
@@ -836,7 +835,6 @@ krb5_stdccv3_remove (krb5_context context,
&iterator);
}
- /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */
while (!err && !found) {
cc_credentials_t credentials = NULL;
diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c
index 62d847c18..1f2a3865c 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc_util.c
+++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c
@@ -521,9 +521,6 @@ cred_union_release (cc_credentials_union *in_cred_union)
free (cv5);
- } else if (in_cred_union->version == cc_credentials_v4 &&
- in_cred_union->credentials.credentials_v4) {
- free (in_cred_union->credentials.credentials_v4);
}
free ((cc_credentials_union *) in_cred_union);
}
@@ -892,10 +889,7 @@ static void deep_free_cc_v5_creds (cc_creds* creds)
static void deep_free_cc_creds (cred_union creds)
{
- if (creds.cred_type == CC_CRED_V4) {
- /* we shouldn't get this, of course */
- free (creds.cred.pV4Cred);
- } else if (creds.cred_type == CC_CRED_V5) {
+ if (creds.cred_type == CC_CRED_V5) {
deep_free_cc_v5_creds (creds.cred.pV5Cred);
}
}
diff --git a/src/windows/kfwlogon/kfwlogon.h b/src/windows/kfwlogon/kfwlogon.h
index b2674573e..622d5665c 100644
--- a/src/windows/kfwlogon/kfwlogon.h
+++ b/src/windows/kfwlogon/kfwlogon.h
@@ -94,7 +94,7 @@ typedef int cc_int32;
enum {
CC_CRED_VUNKNOWN = 0, // For validation
- CC_CRED_V4 = 1,
+ /* CC_CRED_V4 = 1, */
CC_CRED_V5 = 2,
CC_CRED_VMAX = 3 // For validation
};
diff --git a/src/windows/leashdll/leash-int.h b/src/windows/leashdll/leash-int.h
index cb40c607c..bf6f6a08d 100644
--- a/src/windows/leashdll/leash-int.h
+++ b/src/windows/leashdll/leash-int.h
@@ -182,7 +182,7 @@ typedef int cc_int32;
enum {
CC_CRED_VUNKNOWN = 0, // For validation
- CC_CRED_V4 = 1,
+ /* CC_CRED_V4 = 1, */
CC_CRED_V5 = 2,
CC_CRED_VMAX = 3 // For validation
};
diff --git a/src/windows/lib/cacheapi.h b/src/windows/lib/cacheapi.h
index b30857810..9aab4a098 100644
--- a/src/windows/lib/cacheapi.h
+++ b/src/windows/lib/cacheapi.h
@@ -126,52 +126,8 @@ typedef struct _cc_creds {
cc_data ** authdata;
} cc_creds;
-// begin V4 stuff
-// use an enumerated type so all callers infer the same meaning
-// these values are what krbv4win uses internally.
-#define STK_AFS 0
-#define STK_DES 1
-
-// K4 uses a MAX_KTXT_LEN of 1250 to hold a ticket
-// K95 uses 256
-// To be safe I'll use the larger number, but a factor of 5!!!
-#define MAX_V4_CRED_LEN 1250
-
-// V4 Credentials
-
-enum {
- KRB_NAME_SZ = 40,
- KRB_INSTANCE_SZ = 40,
- KRB_REALM_SZ = 40
-};
-
-typedef struct cc_V4credential {
- unsigned char kversion;
- char principal[KRB_NAME_SZ + 1];
- char principal_instance[KRB_INSTANCE_SZ + 1];
- char service[KRB_NAME_SZ + 1];
- char service_instance[KRB_INSTANCE_SZ + 1];
- char realm[KRB_REALM_SZ + 1];
- unsigned char session_key[8];
- cc_int32 kvno; // k95 used BYTE skvno
- cc_int32 str_to_key; // k4 infers dynamically, k95 stores
- long issue_date; // k95 called this issue_time
- cc_int32 lifetime; // k95 used LONG expiration_time
- cc_uint32 address; // IP Address of local host
- cc_int32 ticket_sz; // k95 used BYTE, k4 ktext uses int to hold up to 1250
- unsigned char ticket[MAX_V4_CRED_LEN];
- unsigned long oops; // zero to catch runaways
-} V4Cred_type;
-
-enum {
- CC_CRED_VUNKNOWN = 0, // For validation
- CC_CRED_V4 = 1,
- CC_CRED_V5 = 2,
- CC_CRED_VMAX = 3 // For validation
-};
typedef union cred_ptr_union_type {
- V4Cred_type* pV4Cred;
cc_creds* pV5Cred;
} cred_ptr_union;
@@ -223,16 +179,15 @@ cc_get_change_time(
** create, open, close, destroy, get_principal, get_cred_version, &
** lock_request
**
-** Multiple NCs are allowed within the main cache. Each has a Name
-** and kerberos version # (V4 or V5). Caller gets "ccache_ptr"s for
-** NCs.
+** Multiple NCs are allowed within the main cache. Each has a Name and
+** kerberos version # (V5). Caller gets "ccache_ptr"s for NCs.
*/
CCACHE_API
cc_create(
apiCB* cc_ctx, // > DLL's primary control structure
const char* name, // > name of cache to be [destroyed if exists, then] created
const char* principal,
- cc_int32 vers, // > ticket version (CC_CRED_V4 or CC_CRED_V5)
+ cc_int32 vers, // > ticket version (CC_CRED_V5)
cc_uint32 cc_flags, // > options
ccache_p** ccache_ptr // < NC control structure
);
@@ -241,7 +196,7 @@ CCACHE_API
cc_open(
apiCB* cc_ctx, // > DLL's primary control structure
const char* name, // > name of pre-created cache
- cc_int32 vers, // > ticket version (CC_CRED_V4 or CC_CRED_V5)
+ cc_int32 vers, // > ticket version (CC_CRED_V5)
cc_uint32 cc_flags, // > options
ccache_p** ccache_ptr // < NC control structure
);
Reference in New Issue View Git Blame Copy Permalink