src/krb524/cnv_tkt_skey.c

   1 /*
   2  * Copyright 1994 by OpenVision Technologies, Inc.
   3  *
   4  * Permission to use, copy, modify, distribute, and sell this software
   5  * and its documentation for any purpose is hereby granted without fee,
   6  * provided that the above copyright notice appears in all copies and
   7  * that both that copyright notice and this permission notice appear in
   8  * supporting documentation, and that the name of OpenVision not be used
   9  * in advertising or publicity pertaining to distribution of the software
  10  * without specific, written prior permission. OpenVision makes no
  11  * representations about the suitability of this software for any
  12  * purpose.  It is provided "as is" without express or implied warranty.
  13  *
  14  * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
  15  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
  16  * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
  17  * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
  18  * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
  19  * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  20  * PERFORMANCE OF THIS SOFTWARE.
  21  */
  22
  23 #include "krb5.h"
  24 #include <stdio.h>
  25 #include <sys/types.h>
  26 #include <sys/time.h>
  27 #include <sys/socket.h>
  28 #include <netinet/in.h>
  29 #include <krb.h>
  30 #include <krb4-proto.h>
  31 #include "krb524.h"
  32
  33 /*
  34  * Convert a v5 ticket for server to a v4 ticket, using service key
  35  * skey for both.
  36  */
  37 int krb524_convert_tkt_skey(context, v5tkt, v4tkt, skey)
  38      krb5_context context;
  39      krb5_ticket *v5tkt;
  40      KTEXT_ST *v4tkt;
  41      krb5_keyblock *skey;
  42 {
  43      char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
  44      char sname[ANAME_SZ], sinst[INST_SZ];
  45      krb5_enc_tkt_part *v5etkt;
  46      int ret, lifetime;
  47
  48      v5tkt->enc_part2 = NULL;
  49      if ((ret = krb5_decrypt_tkt_part(context, skey, v5tkt))) {
  50           krb5_free_ticket(context, v5tkt);
  51           return ret;
  52      }
  53      v5etkt = v5tkt->enc_part2;
  54
  55      if ((ret = krb524_convert_princs(context, v5etkt->client, v5tkt->server,
  56                                      pname, pinst, prealm, sname,
  57                                      sinst))) {
  58           krb5_free_enc_tkt_part(context, v5etkt);
  59           v5tkt->enc_part2 = NULL;
  60           return ret;
  61      }
  62
  63      if (v5etkt->session->keytype != KEYTYPE_DES ||
  64          v5etkt->session->length != sizeof(C_Block)) {
  65           if (krb524_debug)
  66                fprintf(stderr, "v5 session keyblock type %d length %d != C_Block size %d\n",
  67                        v5etkt->session->keytype,
  68                        v5etkt->session->length,
  69                        sizeof(C_Block));
  70           krb5_free_enc_tkt_part(context, v5etkt);
  71           v5tkt->enc_part2 = NULL;
  72           return KRB524_BADKEY;
  73      }
  74
  75      /* V4 has no concept of authtime or renew_till, so ignore them */
  76      /* V4 lifetime is 1 byte, in 5 minute increments */
  77      if (v5etkt->times.starttime == 0)
  78           v5etkt->times.starttime = v5etkt->times.authtime;
  79      lifetime = 0xff &
  80           ((v5etkt->times.endtime - v5etkt->times.authtime) / 300);
  81
  82      /* XXX perhaps we should use the addr of the client host if */
  83      /* v5creds contains more than one addr.  Q: Does V4 support */
  84      /* non-INET addresses? */
  85      if (!v5etkt->caddrs || !v5etkt->caddrs[0] ||
  86          v5etkt->caddrs[0]->addrtype != ADDRTYPE_INET) {
  87           if (krb524_debug)
  88                fprintf(stderr, "Invalid v5creds address information.\n");
  89           krb5_free_enc_tkt_part(context, v5etkt);
  90           v5tkt->enc_part2 = NULL;
  91           return KRB524_BADADDR;
  92      }
  93
  94      if (krb524_debug)
  95         printf("startime = %ld, authtime = %ld, lifetime = %ld\n",
  96                (long) v5etkt->times.starttime,
  97                (long) v5etkt->times.authtime,
  98                (long) lifetime);
  99
 100      /* XXX are there V5 flags we should map to V4 equivalents? */
 101      ret = krb_create_ticket(v4tkt,
 102                              0, /* flags */
 103                              pname,
 104                              pinst,
 105                              prealm,
 106                              *((unsigned long *)v5etkt->caddrs[0]->contents),
 107                              v5etkt->session->contents,
 108                              lifetime,
 109                              /* issue_data */
 110                              v5etkt->times.starttime,
 111                              sname,
 112                              sinst,
 113                              skey->contents);
 114
 115      krb5_free_enc_tkt_part(context, v5etkt);
 116      v5tkt->enc_part2 = NULL;
 117      if (ret == KSUCCESS)
 118           return 0;
 119      else
 120           return KRB524_V4ERR;
 121 }