end of pointer arrays in krb5_creds

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

end of pointer arrays in krb5_creds

Rick van Rein (OpenFortress)
Hi,

I'm trying to use the krb5_creds.authdata and/or krb5_creds.addresses;
it's of type (krb5_authdata **) so probably an array.

Are these arrays NULL-terminated?  It seems to be lost in the documentation.

-Rick
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: end of pointer arrays in krb5_creds

Greg Hudson
On 09/15/2016 07:12 PM, Rick van Rein wrote:
> I'm trying to use the krb5_creds.authdata and/or krb5_creds.addresses;
> it's of type (krb5_authdata **) so probably an array.
>
> Are these arrays NULL-terminated?  It seems to be lost in the documentation.

Yes, they are.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: end of pointer arrays in krb5_creds

Rick van Rein (OpenFortress)
Hi,

Thanks.  A surprise that I am running into:

The hostaddresses are OPTIONAL, so I would have expected the array pointer (so the **) to be NULL when no host addresses are present in the krb5_creds structure.  However, when using "kinit -A" to login, I do find an array but its first element is NULL.

Normally I would have assumed that a list is prescribing, unless absent.  But it seems that the empty list is an exception, and treated as a carte blanche re. host addresses.

This confuses me somewhat -- what does it mean if there are only IPv4 addresses on the list, and I am approached over an IPv6 address?  My gut feeling says "reject"... right?

-Rick

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: end of pointer arrays in krb5_creds

Greg Hudson
On 09/16/2016 04:40 AM, Rick van Rein wrote:
> The hostaddresses are OPTIONAL, so I would have expected the array pointer (so the **) to be NULL when no host addresses are present in the krb5_creds structure.  However, when using "kinit -A" to login, I do find an array but its first element is NULL.

(kinit -A is normally the default, right?)

Most of the time, your instinct is correct; in Kerberos ASN.1 objects,
sequences like this are usually optional but non-empty when present, and
the corresponding MIT krb5 C structures contain a NULL pointer when the
sequence is absent.  For instance, EncTicketPart contains the field
"caddr [9] HostAddresses OPTIONAL", where HostAddresses has the comment
"HostAddresses is always used as an OPTIONAL field and should not be
empty."  And in a krb5_enc_tkt_part object, the caddrs field will be
NULL if no address restrictions are present in the ticket.

However, the krb5_creds type is marshalled to and from ccache files
using a different subsystem, and the unmarshalling code always creates
an array for the addresses and authdata fields.  This is a historical
inconsistency, which there probably isn't much benefit in fixing.

> Normally I would have assumed that a list is prescribing, unless absent.  But it seems that the empty list is an exception, and treated as a carte blanche re. host addresses.

Enforcement of address restrictions isn't done using a krb5_creds
object.  When you acquire a ticket, the KDC tells the client what
address restrictions are present in the ticket for the client's
information, and the client notes that in the krb5_creds object that it
marshals out to the ccache.  That information can be shown with klist
-a, but otherwise isn't used (as far as I know).
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev