+Mon Jan 30 15:46:14 1995 Chris Provenzano (proven@mit.edu)
+
+ * int-proto.h Update prototypes for krb5_get_cred_via_tgt(), and
+ krb5_get_cred_via_2tgt().
+
+ * get_fcreds.c (krb5_get_for_creds())
+ * gc_via_tgt.c (krb5_get_cred_via_tgt())
+ * gc_2tgt.c (krb5_get_cred_via_2tgt())
+ Removed krb5_enctype argument. Pass NULL list of encryption
+ types to krb5_send_tgs to get default encryption types.
+
+ * gc_frm_kdc.c Removed krb5_enctype argument passed to
+ krb5_get_cred_via_tgt()
+
+ * send_tgs.c (krb5_send_tgs()) Changed krb5_enctype arg to
+ krb5_enctype *, a NULL terminated array of encryption
+ types. If argument is NULL then krb5_send_tgs() will
+ use defaul list of encryption types.
+
+ * send_tgs.c (krb5_send_tgs()) To encrypt request ticket use
+ usecred->keyblock.etype instead of (and now defunct)
+ krb5_enctype arg.
+
+ * init_ctx.c Added krb5_set_default_in_tkt_etypes() and
+ krb5_get_default_in_tkt_etypes().
+
+ * rd_req.c, rd_req_decode.c Removed typedef for rdreq_key_proc
+ and use krb5_rd_req_decoded in its place.
+
+Mon Jan 30 11:26:05 1995 Chris Provenzano (proven@mit.edu)
+
+ * get_fcreds.c Really needs #include<krb5/asn1.h> for definition
+ of krb5_is_krb_error()
+
Sat Jan 28 14:45:55 1995 Chris Provenzano (proven@mit.edu)
* in_tkt_sky.c (skey_keyproc()), rd_req_dec.c (krb5_rd_req_decoded())
#include "int-proto.h"
krb5_error_code
-krb5_get_cred_via_2tgt (context, tgt, kdcoptions, etype, sumtype, cred)
+krb5_get_cred_via_2tgt (context, tgt, kdcoptions, sumtype, cred)
krb5_context context;
krb5_creds *tgt;
const krb5_flags kdcoptions;
- const krb5_enctype etype;
const krb5_cksumtype sumtype;
register krb5_creds * cred;
{
krb5_kdc_rep *dec_rep;
krb5_error *err_reply;
krb5_response tgsrep;
+ krb5_enctype etype;
/* tgt->client must be equal to cred->client */
/* tgt->server must be equal to krbtgt/realmof(cred->client) */
if (!(kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY))
return KRB5_INVALID_FLAGS;
- if (retval = krb5_send_tgs(context, kdcoptions, &cred->times, etype, sumtype,
+ if (retval = krb5_send_tgs(context, kdcoptions, &cred->times, NULL,
+ sumtype,
cred->server,
tgt->addresses,
cred->authdata,
free(tgsrep.response.data);
return retval;
}
+ etype = tgt->keyblock.etype;
retval = krb5_decode_kdc_rep(context, &tgsrep.response, &tgt->keyblock,
etype, &dec_rep);
free(tgsrep.response.data);
etype = TGT_ETYPE;
if(retval = krb5_get_cred_via_tgt(context, &tgt,
FLAGS2OPTS(tgtq.ticket_flags),
- etype,
krb5_kdc_req_sumtype,
&tgtq)) {
etype = TGT_ETYPE;
if (retval = krb5_get_cred_via_tgt(context, &tgt,
FLAGS2OPTS(tgtq.ticket_flags),
- etype,
krb5_kdc_req_sumtype,
&tgtq)) {
continue;
else {
retval = krb5_get_cred_via_tgt(context, &tgt,
FLAGS2OPTS(tgt.ticket_flags),
- etype,
krb5_kdc_req_sumtype,
cred);
}
#include "int-proto.h"
krb5_error_code
-krb5_get_cred_via_tgt (context, tgt, kdcoptions, etype, sumtype, cred)
+krb5_get_cred_via_tgt (context, tgt, kdcoptions, sumtype, cred)
krb5_context context;
krb5_creds * tgt;
const krb5_flags kdcoptions;
- const krb5_enctype etype;
const krb5_cksumtype sumtype;
krb5_creds * cred;
{
krb5_error_code retval;
krb5_principal tempprinc;
krb5_data *scratch;
+ krb5_enctype etype;
krb5_kdc_rep *dec_rep;
krb5_error *err_reply;
krb5_response tgsrep;
krb5_free_principal(context, tempprinc);
- if (retval = krb5_send_tgs(context, kdcoptions, &cred->times, etype, sumtype,
+ if (retval = krb5_send_tgs(context, kdcoptions, &cred->times, NULL,
+ sumtype,
cred->server,
tgt->addresses,
cred->authdata,
cleanup();
return retval;
}
+
+ etype = tgt->keyblock.etype;
retval = krb5_decode_kdc_rep(context, &tgsrep.response,
&tgt->keyblock,
etype, /* enctype */
#include <netdb.h>
#include <krb5/krb5.h>
+#include <krb5/asn1.h>
#include <krb5/los-proto.h>
#include <krb5/ext-proto.h>
/* Get a TGT for use at the remote host */
krb5_error_code
-krb5_get_for_creds(context, etype, sumtype, rhost, client, enc_key, forwardable, outbuf)
+krb5_get_for_creds(context, sumtype, rhost, client, enc_key,
+ forwardable, outbuf)
krb5_context context;
- const krb5_enctype etype;
- const krb5_cksumtype sumtype;
- char *rhost;
- krb5_principal client;
- krb5_keyblock *enc_key;
- int forwardable; /* Should forwarded TGT also be forwardable? */
- krb5_data *outbuf;
+ const krb5_cksumtype sumtype;
+ char *rhost;
+ krb5_principal client;
+ krb5_keyblock *enc_key;
+ int forwardable; /* Should forwarded TGT also be forwardable? */
+ krb5_data *outbuf;
{
struct hostent *hp;
+ krb5_enctype etype;
krb5_address **addrs;
krb5_error_code retval;
krb5_data *scratch;
if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */
kdcoptions &= ~(KDC_OPT_FORWARDABLE);
- if (retval = krb5_send_tgs(context, kdcoptions, &creds.times, etype, sumtype,
+ if (retval = krb5_send_tgs(context, kdcoptions, &creds.times, NULL,
+ sumtype,
tgt.server,
addrs,
creds.authdata,
goto errout;
}
+ etype = tgt.keyblock.etype;
if (retval = krb5_decode_kdc_rep(context, &tgsrep.response,
&tgt.keyblock,
etype, /* enctype */
memset(ctx, 0, sizeof(struct _krb5_context));
ctx->magic = KV5M_CONTEXT;
- retval = krb5_os_init_context(ctx);
- if (retval)
+ /* Set the default encryption types, possible defined in krb5/conf */
+ if (krb5_set_default_in_tkt_etypes(ctx, NULL))
+ goto cleanup;
+
+ if (krb5_os_init_context(ctx))
goto cleanup;
*context = ctx;
krb5_free_context(ctx)
krb5_context ctx;
{
- krb5_os_free_context(ctx);
- ctx->magic = 0;
- free(ctx);
+ krb5_os_free_context(ctx);
+
+ if (ctx->etypes);
+ free(ctx->etypes);
+
+ ctx->magic = 0;
+ free(ctx);
+}
+
+/*
+ * Set the desired default etypes, making sure they are valid.
+ */
+krb5_error_code
+krb5_set_default_in_tkt_etypes(context, etypes)
+ krb5_context context;
+ const krb5_enctype *etypes;
+{
+ krb5_enctype * new_etypes;
+ int i;
+
+ if (etypes) {
+ for (i = 0; etypes[i]; i++) {
+ if (!valid_etype(etypes[i]))
+ return KRB5_PROG_ETYPE_NOSUPP;
+ }
+
+ /* Now copy the default etypes into the context pointer */
+ if (new_etypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * i))
+ memcpy(new_etypes, etypes, sizeof(krb5_enctype) * i);
+ else
+ return ENOMEM;
+
+ } else {
+ i = 2;
+
+ /* Should reset the list to the runtime defaults */
+ if (new_etypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * i)) {
+ new_etypes[0] = ETYPE_DES_CBC_MD5;
+ new_etypes[1] = ETYPE_DES_CBC_CRC;
+ } else {
+ return ENOMEM;
+ }
+ }
+
+ if (context->etypes)
+ free(context->etypes);
+ context->etypes = new_etypes;
+ context->etype_count = i;
+ return 0;
+}
+
+krb5_error_code
+krb5_get_default_in_tkt_etypes(context, etypes)
+ krb5_context context;
+ krb5_enctype **etypes;
+{
+ krb5_enctype * old_etypes;
+ int i;
+
+ if (old_etypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) *
+ (context->etype_count + 1))) {
+ memcpy(old_etypes, context->etypes, sizeof(krb5_enctype) *
+ context->etype_count);
+ old_etypes[context->etype_count] = NULL;
+ } else {
+ return ENOMEM;
+ }
+
+ *etypes = old_etypes;
+ return 0;
+
}
#define KRB5_INT_FUNC_PROTO__
krb5_error_code krb5_tgtname
- PROTOTYPE((krb5_context context,
- const krb5_data *,
- const krb5_data *,
- krb5_principal *));
+ PROTOTYPE((krb5_context context,
+ const krb5_data *,
+ const krb5_data *,
+ krb5_principal *));
krb5_error_code krb5_get_cred_via_tgt
- PROTOTYPE((krb5_context context,
- krb5_creds *,
- const krb5_flags,
- const krb5_enctype,
- const krb5_cksumtype,
- krb5_creds * ));
+ PROTOTYPE((krb5_context context,
+ krb5_creds *,
+ const krb5_flags,
+ const krb5_cksumtype,
+ krb5_creds * ));
+krb5_error_code krb5_get_cred_via_tgt
+ PROTOTYPE((krb5_context context,
+ krb5_creds *,
+ const krb5_flags,
+ const krb5_cksumtype,
+ krb5_creds * ));
#endif /* KRB5_INT_FUNC_PROTO__ */
* returns system errors, encryption errors, replay errors
*/
-typedef krb5_error_code (*rdreq_key_proc) PROTOTYPE((krb5_pointer,
- krb5_principal,
- krb5_kvno,
- krb5_keyblock **));
-
krb5_error_code
krb5_rd_req(context, inbuf, server, sender_addr, fetchfrom, keyproc,
keyprocarg, rcache, authdat)
static krb5_error_code decrypt_authenticator
PROTOTYPE((krb5_context, const krb5_ap_req *, krb5_authenticator **));
-typedef krb5_error_code (*rdreq_key_proc)
- PROTOTYPE((krb5_context, krb5_pointer, krb5_principal,
- krb5_kvno, krb5_keyblock **));
extern krb5_deltat krb5_clockskew;
#define in_clock_skew(date) (abs((date)-currenttime) < krb5_clockskew)
krb5_const_principal server;
const krb5_address *sender_addr;
const char * fetchfrom;
- rdreq_key_proc keyproc;
+ krb5_rdreq_key_proc keyproc;
krb5_pointer keyprocarg;
krb5_rcache rcache;
krb5_tkt_authent **authdat;
{
+ krb5_keytype keytype;
krb5_error_code retval = 0;
krb5_keyblock *tkt_key = NULL;
krb5_timestamp currenttime, starttime;
/* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
do we need special processing here ? */
+ /*
+ * OK we know the encryption type req->ticket->enc_part.etype,
+ * and now we need to get the keytype
+ */
+ keytype = krb5_csarray[req->ticket->enc_part.etype]->system->proto_keytype;
+
/* fetch a server key */
if (keyproc) {
retval = (*keyproc)(context, keyprocarg, req->ticket->server,
- req->ticket->enc_part.kvno, &tkt_key);
+ req->ticket->enc_part.kvno, keytype, &tkt_key);
} else {
krb5_keytab keytabid;
krb5_keytab_entry ktentry;
retval = krb5_kt_default(context, &keytabid);
}
if (!retval) {
- /*
- * OK we know the encryption type req->ticket->enc_part.etype,
- * and now we need to get the keytype
- */
- krb5_keytype keytype = krb5_csarray[req->ticket->enc_part.etype]->
- system->proto_keytype;
-
retval = krb5_kt_get_entry(context, keytabid, req->ticket->server,
req->ticket->enc_part.kvno, keytype,
&ktentry);
returns system errors
*/
krb5_error_code
-krb5_send_tgs(context, kdcoptions, timestruct, etype, sumtype, sname, addrs,
+krb5_send_tgs(context, kdcoptions, timestruct, etypes, sumtype, sname, addrs,
authorization_data, padata, second_ticket, usecred, rep)
krb5_context context;
const krb5_flags kdcoptions;
const krb5_ticket_times * timestruct;
- const krb5_enctype etype;
+ const krb5_enctype * etypes;
const krb5_cksumtype sumtype;
krb5_const_principal sname;
krb5_address * const * addrs;
krb5_data *scratch, scratch2;
krb5_ticket *sec_ticket = 0;
krb5_ticket *sec_ticket_arr[2];
- krb5_enctype etypes[1];
krb5_timestamp time_now;
krb5_pa_data **combined_padata;
krb5_pa_data ap_req_padata;
- if (!valid_etype(etype))
- return KRB5_PROG_ETYPE_NOSUPP;
-
memset((char *)&tgsreq, 0, sizeof(tgsreq));
+ if (etypes) {
+ /* Check passed etypes and make sure they're valid. */
+ for (tgsreq.netypes = 0; etypes[tgsreq.netypes]; tgsreq.netypes++) {
+ if (!valid_etype(etypes[tgsreq.netypes]))
+ return KRB5_PROG_ETYPE_NOSUPP;
+ }
+ tgsreq.etype = (krb5_enctype *)etypes;
+ } else {
+ /* Get the default etypes */
+ krb5_get_default_in_tkt_etypes(context, &(tgsreq.etype));
+ for(tgsreq.netypes = 0; tgsreq.etype[tgsreq.netypes]; tgsreq.netypes++);
+ }
+
tgsreq.kdc_options = kdcoptions;
tgsreq.server = (krb5_principal) sname;
/* XXX we know they are the same size... */
tgsreq.nonce = (krb5_int32) time_now;
- etypes[0] = etype;
- tgsreq.etype = etypes;
- tgsreq.netypes = 1;
-
tgsreq.addresses = (krb5_address **) addrs;
if (authorization_data) {
if (retval = encode_krb5_authdata(authorization_data, &scratch))
return(retval);
- krb5_use_cstype(context, &eblock, etype);
- tgsreq.authorization_data.etype = etype;
+ krb5_use_cstype(context, &eblock, usecred->keyblock.etype);
+ tgsreq.authorization_data.etype = usecred->keyblock.etype;
tgsreq.authorization_data.kvno = 0; /* ticket session key has */
/* no version */
tgsreq.authorization_data.ciphertext.length =
projects / krb5.git / commitdiff