return retval;
}
-
-#define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
-/* helper function: convert flags to necessary KDC options */
-#define flags2options(flags) (flags & KDC_TKT_COMMON_MASK)
-
-/* Get a TGT for use at the remote host */
-krb5_error_code INTERFACE
-get_for_creds(context, auth_context, rhost, client, forwardable, outbuf)
- krb5_context context;
- krb5_auth_context auth_context;
- char *rhost;
- krb5_principal client;
- int forwardable; /* Should forwarded TGT also be forwardable? */
- krb5_data *outbuf;
-{
- krb5_replay_data replaydata;
- krb5_data * scratch;
- struct hostent *hp;
- krb5_address **addrs;
- krb5_error_code retval;
- krb5_error *err_reply;
- krb5_creds creds, tgt;
- krb5_creds *pcreds;
- krb5_ccache cc;
- krb5_flags kdcoptions;
- krb5_timestamp now;
- char *remote_host = 0;
- char **hrealms = 0;
- int i;
-
- memset((char *)&creds, 0, sizeof(creds));
-
- if (!rhost || !(hp = gethostbyname(rhost)))
- return KRB5_ERR_BAD_HOSTNAME;
-
- remote_host = (char *) malloc(strlen(hp->h_name)+1);
- if (!remote_host) {
- retval = ENOMEM;
- goto errout;
- }
- strcpy(remote_host, hp->h_name);
-
- if (retval = krb5_get_host_realm(context, remote_host, &hrealms))
- goto errout;
- if (!hrealms[0]) {
- retval = KRB5_ERR_HOST_REALM_UNKNOWN;
- goto errout;
- }
-
- /* Count elements */
- for(i=0; hp->h_addr_list[i]; i++);
-
- addrs = (krb5_address **) malloc ((i+1)*sizeof(*addrs));
- if (!addrs) {
- retval = ENOMEM;
- goto errout;
- }
- memset(addrs, 0, (i+1)*sizeof(*addrs));
-
- for(i=0; hp->h_addr_list[i]; i++) {
- addrs[i] = (krb5_address *) malloc(sizeof(krb5_address));
- if (!addrs[i]) {
- retval = ENOMEM;
- goto errout;
- }
- addrs[i]->addrtype = hp->h_addrtype;
- addrs[i]->length = hp->h_length;
- addrs[i]->contents = (unsigned char *)malloc(addrs[i]->length);
- if (!addrs[i]->contents) {
- retval = ENOMEM;
- goto errout;
- }
- memcpy ((char *)addrs[i]->contents, hp->h_addr_list[i],
- addrs[i]->length);
- }
- addrs[i] = 0;
-
- if (retval = krb5_copy_principal(context, client, &creds.client))
- goto errout;
-
- if (retval = krb5_build_principal_ext(context, &creds.server,
- strlen(hrealms[0]),
- hrealms[0],
- KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME,
- client->realm.length,
- client->realm.data,
- 0))
- goto errout;
-
- creds.times.starttime = 0;
- if (retval = krb5_timeofday(context, &now))
- goto errout;
-
- creds.times.endtime = now + KRB5_DEFAULT_LIFE;
- creds.times.renew_till = 0;
-
- if (retval = krb5_cc_default(context, &cc))
- goto errout;
-
- /* fetch tgt directly from cache */
- retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_MATCH_SRV_NAMEONLY,
- &creds, &tgt);
- krb5_cc_close(context, cc);
- if (retval)
- goto errout;
-
- /* tgt->client must be equal to creds.client */
- if (!krb5_principal_compare(context, tgt.client, creds.client)) {
- retval = KRB5_PRINC_NOMATCH;
- goto errout;
- }
-
- if (!tgt.ticket.length) {
- retval = KRB5_NO_TKT_SUPPLIED;
- goto errout;
- }
-
- kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED;
-
- if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */
- kdcoptions &= ~(KDC_OPT_FORWARDABLE);
-
- if (retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
- addrs, &creds, &pcreds))
- goto errout;
-
- retval = krb5_mk_1cred(context, auth_context, pcreds,
- &scratch, &replaydata);
- krb5_free_creds(context, pcreds);
- *outbuf = *scratch;
- krb5_xfree(scratch);
-
-errout:
- if (remote_host)
- free(remote_host);
- if (hrealms)
- krb5_xfree(hrealms);
- if (addrs)
- krb5_free_addresses(context, addrs);
- krb5_free_cred_contents(context, &creds);
- return retval;
-}
-
#endif /* defined(KRB5) && defined(FORWARD) */
krb5_ccache ccache;
krb5_creds creds; /* telnet gets session key from here */
krb5_creds * new_creds = 0;
- extern krb5_flags krb5_kdc_default_options;
int ap_opts;
#ifdef ENCRYPTION
return(0);
}
- if (r = krb5_cc_default(telnet_context, &ccache)) {
+ if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode) {
printf("Kerberos V5: could not get default ccache\r\n");
}
}
memset((char *)&creds, 0, sizeof(creds));
- if (r = krb5_sname_to_principal(telnet_context, RemoteHostName, "host",
- KRB5_NT_SRV_HST, &creds.server)) {
+ if ((r = krb5_sname_to_principal(telnet_context, RemoteHostName,
+ "host", KRB5_NT_SRV_HST,
+ &creds.server))) {
if (auth_debug_mode)
printf("Kerberos V5: error while constructing service name: %s\r\n", error_message(r));
return(0);
krb5_princ_set_realm(telnet_context, creds.server, &rdata);
}
- if (r = krb5_cc_get_principal(telnet_context, ccache, &creds.client)) {
+ if ((r = krb5_cc_get_principal(telnet_context, ccache,
+ &creds.client))) {
if (auth_debug_mode) {
printf("Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
return(0);
}
- if (r = krb5_get_credentials(telnet_context, 0,
- ccache, &creds, &new_creds)) {
+ if ((r = krb5_get_credentials(telnet_context, 0,
+ ccache, &creds, &new_creds))) {
if (auth_debug_mode) {
printf("Kerberos V5: failure on credentials(%s)\r\n",
error_message(r));
ap_opts |= AP_OPTS_USE_SUBKEY;
#endif /* ENCRYPTION */
- if (r = krb5_auth_con_init(telnet_context, &auth_context)) {
+ if ((r = krb5_auth_con_init(telnet_context, &auth_context))) {
if (auth_debug_mode) {
printf("Kerberos V5: failed to init auth_context (%s)\r\n",
error_message(r));
}
if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
/* do ap_rep stuff here */
- if (r = krb5_mk_rep(telnet_context, auth_context, &outbuf))
+ if ((r = krb5_mk_rep(telnet_context, auth_context,
+ &outbuf)))
goto errout;
Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
inbuf.length = cnt;
inbuf.data = (char *)data;
- if (r = krb5_rd_rep(telnet_context, auth_context, &inbuf,
- &reply)) {
+ if ((r = krb5_rd_rep(telnet_context, auth_context, &inbuf,
+ &reply))) {
printf("[ Mutual authentication failed: %s ]\r\n",
error_message(r));
auth_send_retry();
{
krb5_error_code r;
krb5_ccache ccache;
- krb5_principal client;
+ krb5_principal client = 0;
+ krb5_principal server = 0;
krb5_data forw_creds;
- if (r = krb5_cc_default(telnet_context, &ccache)) {
+ forw_creds.data = 0;
+
+ if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode)
printf("Kerberos V5: could not get default ccache - %s\r\n",
error_message(r));
return;
}
- if (r = krb5_cc_get_principal(telnet_context, ccache, &client)) {
+ if ((r = krb5_cc_get_principal(telnet_context, ccache, &client))) {
if (auth_debug_mode)
printf("Kerberos V5: could not get default principal - %s\r\n",
error_message(r));
- return;
+ goto cleanup;
+ }
+
+ if ((r = krb5_sname_to_principal(telnet_context, RemoteHostName, "host",
+ KRB5_NT_SRV_HST, &server))) {
+ if (auth_debug_mode)
+ printf("Kerberos V5: could not make server principal - %s\r\n",
+ error_message(r));
+ goto cleanup;
}
+
- if (r = krb5_auth_con_genaddrs(telnet_context, auth_context, net,
- KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR)) {
+ if ((r = krb5_auth_con_genaddrs(telnet_context, auth_context, net,
+ KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR))) {
if (auth_debug_mode)
printf("Kerberos V5: could not gen local full address - %s\r\n",
error_message(r));
- return;
+ goto cleanup;
}
- if (r = get_for_creds(telnet_context, auth_context, RemoteHostName, client,
- forward_flags & OPTS_FORWARDABLE_CREDS, &forw_creds)){
+ if ((r = krb5_fwd_tgt_creds(telnet_context, auth_context, 0, client,
+ server, ccache,
+ forward_flags & OPTS_FORWARDABLE_CREDS,
+ &forw_creds))) {
if (auth_debug_mode)
printf("Kerberos V5: error getting forwarded creds - %s\r\n",
error_message(r));
- return;
+ goto cleanup;
}
/* Send forwarded credentials */
if (auth_debug_mode)
printf("Forwarded local Kerberos V5 credentials to server\r\n");
}
+
+cleanup:
+ if (client)
+ krb5_free_principal(telnet_context, client);
+ if (server)
+ krb5_free_principal(telnet_context, server);
+ if (forw_creds.data)
+ free(forw_creds.data);
+ krb5_cc_close(telnet_context, ccache);
}
#endif /* FORWARD */
projects / krb5.git / commitdiff