+
+Wed Apr 26 22:49:18 1995 Chris Provenzano (proven@mit.edu)
+
+ * gc_via_tgt.c, and gc_2tgt.c : Removed.
+ * Makefile.in, gc_via_tkt.c, gc_frm_kdc.c, and, int-proto.h :
+ Replaced get_cred_via_tgt() and get_cred_via_2tgt()
+ with more general function get_cred_via_tkt().
+
Tue Apr 25 21:58:23 1995 Chris Provenzano (proven@mit.edu)
* Makefile.in : Added gc_via_tkt.c and removed get_fcreds.c
free_rtree.$(OBJEXT) \
faddr_ordr.$(OBJEXT) \
gc_frm_kdc.$(OBJEXT) \
- gc_via_tgt.$(OBJEXT) \
gc_via_tkt.$(OBJEXT) \
- gc_2tgt.$(OBJEXT) \
gen_seqnum.$(OBJEXT) \
gen_subkey.$(OBJEXT) \
get_creds.$(OBJEXT) \
$(srcdir)/free_rtree.c \
$(srcdir)/faddr_ordr.c \
$(srcdir)/gc_frm_kdc.c \
- $(srcdir)/gc_via_tgt.c \
$(srcdir)/gc_via_tkt.c \
- $(srcdir)/gc_2tgt.c \
$(srcdir)/gen_seqnum.c \
$(srcdir)/gen_subkey.c \
$(srcdir)/get_creds.c \
+++ /dev/null
-/*
- * lib/krb5/krb/gc_2tgt.c
- *
- * Copyright 1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Given two tgts, get a ticket.
- */
-
-#include "k5-int.h"
-#include "int-proto.h"
-
-krb5_error_code
-krb5_get_cred_via_2tgt (context, tgt, kdcoptions, sumtype, in_cred, out_cred)
- krb5_context context;
- krb5_creds *tgt;
- const krb5_flags kdcoptions;
- const krb5_cksumtype sumtype;
- krb5_creds * in_cred;
- krb5_creds ** out_cred;
-{
- krb5_error_code retval;
-#if 0
- krb5_principal tempprinc;
-#endif
- krb5_data *scratch;
- krb5_kdc_rep *dec_rep;
- krb5_error *err_reply;
- krb5_response tgsrep;
- krb5_enctype etype;
-
- /* tgt->client must be equal to in_cred->client */
- /* tgt->server must be equal to krbtgt/realmof(cred->client) */
- if (!krb5_principal_compare(context, tgt->client, in_cred->client))
- return KRB5_PRINC_NOMATCH;
-
- if (!tgt->ticket.length)
- return(KRB5_NO_TKT_SUPPLIED);
-
- if (!in_cred->second_ticket.length)
- return(KRB5_NO_2ND_TKT);
-
-#if 0 /* What does this do? */
- if (retval = krb5_tgtname(context, krb5_princ_realm(in_cred->server),
- krb5_princ_realm(context, in_cred->client), &tempprinc))
- return(retval);
-
- if (!krb5_principal_compare(context, tempprinc, tgt->server)) {
- krb5_free_principal(context, tempprinc);
- return KRB5_PRINC_NOMATCH;
- }
- krb5_free_principal(context, tempprinc);
-#endif
-
- if (!(kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY))
- return KRB5_INVALID_FLAGS;
-
- if (retval = krb5_send_tgs(context, kdcoptions, &in_cred->times, NULL,
- sumtype, in_cred->server, tgt->addresses,
- in_cred->authdata,
- 0, /* no padata */
- &in_cred->second_ticket, tgt, &tgsrep))
- return retval;
-
- if (tgsrep.message_type != KRB5_TGS_REP)
- {
- if (!krb5_is_krb_error(&tgsrep.response)) {
- free(tgsrep.response.data);
- return KRB5KRB_AP_ERR_MSG_TYPE;
- }
- retval = decode_krb5_error(&tgsrep.response, &err_reply);
- if (retval) {
- free(tgsrep.response.data);
- return retval;
- }
- retval = err_reply->error + ERROR_TABLE_BASE_krb5;
-
- krb5_free_error(context, err_reply);
- free(tgsrep.response.data);
- return retval;
- }
- etype = tgt->keyblock.etype;
- retval = krb5_decode_kdc_rep(context, &tgsrep.response, &tgt->keyblock,
- etype, &dec_rep);
- free(tgsrep.response.data);
- if (retval)
- return retval;
-
- if (dec_rep->msg_type != KRB5_TGS_REP) {
- retval = KRB5KRB_AP_ERR_MSG_TYPE;
- goto errout;
- }
-
- /* now it's decrypted and ready for prime time */
-
- if (!krb5_principal_compare(context, dec_rep->client, tgt->client)) {
- retval = KRB5_KDCREP_MODIFIED;
- goto errout;
- }
-
- /*
- * get a cred structure
- * The caller is responsible for cleaning up
- */
- if (((*out_cred) = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) {
- retval = ENOMEM;
- goto errout;
- }
-
- /* Copy the client straig from in_cred */
- if (retval = krb5_copy_principal(context, in_cred->client,
- &(*out_cred)->client)) {
- goto errout;
- }
-
- /* put pieces into out_cred-> */
- (*out_cred)->keyblock.magic = KV5M_KEYBLOCK;
- (*out_cred)->keyblock.etype = dec_rep->ticket->enc_part.etype;
- if (retval = krb5_copy_keyblock_contents(context,
- dec_rep->enc_part2->session,
- &(*out_cred)->keyblock))
- goto errout;
-
- /* Should verify that the ticket is what we asked for. */
-#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
- (*out_cred)->times = dec_rep->enc_part2->times;
-#else
- memcpy(&(*out_cred)->times, &dec_rep->enc_part2->times,
- sizeof(krb5_ticket_times));
-#endif
-
- (*out_cred)->ticket_flags = dec_rep->enc_part2->flags;
- (*out_cred)->is_skey = TRUE;
- if (dec_rep->enc_part2->caddrs)
- retval = krb5_copy_addresses(context, dec_rep->enc_part2->caddrs,
- &(*out_cred)->addresses);
- else
- /* no addresses in the list means we got what we had */
- retval = krb5_copy_addresses(context, tgt->addresses, &(*out_cred)->addresses);
- if (retval)
- goto errout;
-
- if (retval = krb5_copy_principal(context, dec_rep->enc_part2->server,
- &(*out_cred)->server))
- goto errout;
-
- if (retval = encode_krb5_ticket(dec_rep->ticket, &scratch))
- goto errout;
-
- (*out_cred)->ticket = *scratch;
- krb5_xfree(scratch);
-
-errout:
- if (retval) {
- if (*out_cred) {
- if ((*out_cred)->keyblock.contents) {
- memset((*out_cred)->keyblock.contents, 0,
- (*out_cred)->keyblock.length);
- krb5_xfree((*out_cred)->keyblock.contents);
- (*out_cred)->keyblock.contents = 0;
- }
- if ((*out_cred)->addresses) {
- krb5_free_addresses(context, (*out_cred)->addresses);
- (*out_cred)->addresses = 0;
- }
- if ((*out_cred)->server) {
- krb5_free_principal(context, (*out_cred)->server);
- (*out_cred)->server = 0;
- }
- krb5_free_creds(context, *out_cred);
- }
- }
- memset((char *)dec_rep->enc_part2->session->contents, 0,
- dec_rep->enc_part2->session->length);
- krb5_free_kdc_rep(context, dec_rep);
- return retval;
-}
-
-/*
- * Local variables:
- * mode:c
- * eval: (make-local-variable (quote c-indent-level))
- * eval: (make-local-variable (quote c-continued-statement-offset))
- * eval: (setq c-indent-level 4 c-continued-statement-offset 4)
- * End:
- */
-
tgtq.is_skey = FALSE;
tgtq.ticket_flags = tgt.ticket_flags;
etype = TGT_ETYPE;
- if(retval = krb5_get_cred_via_tgt(context, &tgt,
- FLAGS2OPTS(tgtq.ticket_flags),
- krb5_kdc_req_sumtype,
- &tgtq, &tgtr)) {
+ if (retval = krb5_get_cred_via_tkt(context, &tgt,
+ FLAGS2OPTS(tgtq.ticket_flags),
+ tgt.addresses, &tgtq, &tgtr)) {
/*
* couldn't get one so now loop backwards through the realms
tgtq.is_skey = FALSE;
tgtq.ticket_flags = tgt.ticket_flags;
etype = TGT_ETYPE;
- if (retval = krb5_get_cred_via_tgt(context, &tgt,
+ if (retval = krb5_get_cred_via_tkt(context, &tgt,
FLAGS2OPTS(tgtq.ticket_flags),
- krb5_kdc_req_sumtype,
- &tgtq, &tgtr)) {
+ tgt.addresses, &tgtq, &tgtr)) {
continue;
}
}
etype = TGT_ETYPE;
- if (in_cred->second_ticket.length) {
- retval = krb5_get_cred_via_2tgt(context, &tgt,
- KDC_OPT_ENC_TKT_IN_SKEY |
- FLAGS2OPTS(tgt.ticket_flags),
- krb5_kdc_req_sumtype, in_cred, out_cred);
- } else {
- retval = krb5_get_cred_via_tgt(context, &tgt,
- FLAGS2OPTS(tgt.ticket_flags),
- krb5_kdc_req_sumtype, in_cred, out_cred);
- }
+ retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) |
+ (in_cred->second_ticket.length ?
+ KDC_OPT_ENC_TKT_IN_SKEY : 0),
+ tgt.addresses, in_cred, out_cred);
/* cleanup and return */
+++ /dev/null
-/*
- * lib/krb5/krb/gc_via_tgt.c
- *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
- * All Rights Reserved.
- *
- * Export of this software from the United States of America may
- * require a specific license from the United States Government.
- * It is the responsibility of any person or organization contemplating
- * export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
- * distribute this software and its documentation for any purpose and
- * without fee is hereby granted, provided that the above copyright
- * notice appear in all copies and that both that copyright notice and
- * this permission notice appear in supporting documentation, and that
- * the name of M.I.T. not be used in advertising or publicity pertaining
- * to distribution of the software without specific, written prior
- * permission. M.I.T. makes no representations about the suitability of
- * this software for any purpose. It is provided "as is" without express
- * or implied warranty.
- *
- *
- * Given a tgt, and a target cred, get it.
- */
-
-#include "k5-int.h"
-#include "int-proto.h"
-
-krb5_error_code
-krb5_get_cred_via_tgt (context, tgt, kdcoptions, sumtype, in_cred, out_cred)
- krb5_context context;
- krb5_creds * tgt;
- const krb5_flags kdcoptions;
- const krb5_cksumtype sumtype;
- krb5_creds * in_cred;
- krb5_creds ** out_cred;
-{
- krb5_error_code retval;
- krb5_principal tempprinc;
- krb5_data *scratch;
- krb5_kdc_rep *dec_rep;
- krb5_error *err_reply;
- krb5_response tgsrep;
-
- /* tgt->client must be equal to in_cred->client */
- if (!krb5_principal_compare(context, tgt->client, in_cred->client))
- return KRB5_PRINC_NOMATCH;
-
- if (!tgt->ticket.length)
- return(KRB5_NO_TKT_SUPPLIED);
-
- /* check if we have the right TGT */
- /* tgt->server must be equal to */
- /* krbtgt/realmof(cred->server)@realmof(tgt->server) */
-
- if (retval = krb5_tgtname(context,
- krb5_princ_realm(context, in_cred->server),
- krb5_princ_realm(context, tgt->server), &tempprinc))
- return(retval);
-
- if (!krb5_principal_compare(context, tempprinc, tgt->server)) {
- retval = KRB5_PRINC_NOMATCH;
- goto error_5;
- }
-
- if (retval = krb5_send_tgs(context, kdcoptions, &in_cred->times, NULL,
- sumtype, in_cred->server, tgt->addresses,
- in_cred->authdata,
- 0, /* no padata */
- 0, /* no second ticket */
- tgt, &tgsrep))
- goto error_5;
-
- switch (tgsrep.message_type) {
- case KRB5_TGS_REP:
- break;
- case KRB5_ERROR:
- default:
- if (krb5_is_krb_error(&tgsrep.response))
- retval = decode_krb5_error(&tgsrep.response, &err_reply);
- else
- retval = KRB5KRB_AP_ERR_MSG_TYPE;
-
- if (retval) /* neither proper reply nor error! */
- goto error_4;
-
-#if 0
- /* XXX need access to the actual assembled request...
- need a change to send_tgs */
- if ((err_reply->ctime != request.ctime) ||
- !krb5_principal_compare(context, err_reply->server, request.server) ||
- !krb5_principal_compare(context, err_reply->client, request.client))
- retval = KRB5_KDCREP_MODIFIED;
- else
-#endif
- retval = err_reply->error + ERROR_TABLE_BASE_krb5;
-
- krb5_free_error(context, err_reply);
- goto error_4;
- }
-
- if (retval = krb5_decode_kdc_rep(context, &tgsrep.response, &tgt->keyblock,
- tgt->keyblock.etype, &dec_rep))
- goto error_4;
-
- if (dec_rep->msg_type != KRB5_TGS_REP) {
- retval = KRB5KRB_AP_ERR_MSG_TYPE;
- goto error_3;
- }
-
- /* now it's decrypted and ready for prime time */
- if (!krb5_principal_compare(context, dec_rep->client, tgt->client)) {
- retval = KRB5_KDCREP_MODIFIED;
- goto error_3;
- }
-
- /* get a cred structure */
- /* The caller is responsible for cleaning up */
- if (((*out_cred) = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) {
- retval = ENOMEM;
- goto error_2;
- }
- memset((*out_cred), 0, sizeof(krb5_creds));
-
- /* Copy the client straigt from in_cred */
- if (retval = krb5_copy_principal(context, in_cred->client,
- &(*out_cred)->client)) {
- goto error_2;
- }
-
- /* put pieces into out_cred-> */
- if (retval = krb5_copy_keyblock_contents(context,
- dec_rep->enc_part2->session,
- &(*out_cred)->keyblock)) {
- goto error_2;
- }
-
- (*out_cred)->keyblock.etype = dec_rep->ticket->enc_part.etype;
-#ifdef HAVE_C_STRUCTURE_ASSIGNMENT
- (*out_cred)->times = dec_rep->enc_part2->times;
-#else
- memcpy(&(*out_cred)->times, &dec_rep->enc_part2->times,
- sizeof(krb5_ticket_times));
-#endif
-
-#if 0
- /* XXX probably need access to the request */
- /* check the contents for sanity: */
- if (!krb5_principal_compare(context, dec_rep->client, request.client)
- || !krb5_principal_compare(context, dec_rep->enc_part2->server, request.server)
- || !krb5_principal_compare(context, dec_rep->ticket->server, request.server)
- || (request.nonce != dec_rep->enc_part2->nonce)
- /* XXX check for extraneous flags */
- /* XXX || (!krb5_addresses_compare(context, addrs, dec_rep->enc_part2->caddrs)) */
- || ((request.from != 0) &&
- (request.from != dec_rep->enc_part2->times.starttime))
- || ((request.till != 0) &&
- (dec_rep->enc_part2->times.endtime > request.till))
- || ((request.kdc_options & KDC_OPT_RENEWABLE) &&
- (request.rtime != 0) &&
- (dec_rep->enc_part2->times.renew_till > request.rtime))
- || ((request.kdc_options & KDC_OPT_RENEWABLE_OK) &&
- (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) &&
- (request.till != 0) &&
- (dec_rep->enc_part2->times.renew_till > request.till))
- )
- retval = KRB5_KDCREP_MODIFIED;
-
- if (!request.from && !in_clock_skew(dec_rep->enc_part2->times.starttime)) {
- retval = KRB5_KDCREP_SKEW;
- goto error_1;
- }
-
-#endif
-
- (*out_cred)->ticket_flags = dec_rep->enc_part2->flags;
- (*out_cred)->is_skey = FALSE;
- if (dec_rep->enc_part2->caddrs) {
- if (retval = krb5_copy_addresses(context, dec_rep->enc_part2->caddrs,
- &(*out_cred)->addresses)) {
- goto error_1;
- }
- } else {
- /* no addresses in the list means we got what we had */
- if (retval = krb5_copy_addresses(context, tgt->addresses,
- &(*out_cred)->addresses)) {
- goto error_1;
- }
- }
- if (retval = krb5_copy_principal(context, dec_rep->enc_part2->server,
- &(*out_cred)->server)) {
- goto error_1;
- }
-
- if (retval = encode_krb5_ticket(dec_rep->ticket, &scratch)) {
- krb5_free_addresses(context, (*out_cred)->addresses);
- goto error_1;
- }
-
- (*out_cred)->ticket = *scratch;
- krb5_xfree(scratch);
-
-error_1:;
- if (retval)
- memset((*out_cred)->keyblock.contents, 0, (*out_cred)->keyblock.length);
-
-error_2:;
- if (retval)
- krb5_free_creds(context, *out_cred);
-
-error_3:;
- memset(dec_rep->enc_part2->session->contents, 0,
- dec_rep->enc_part2->session->length);
- krb5_free_kdc_rep(context, dec_rep);
-
-error_4:;
- free(tgsrep.response.data);
-
-error_5:;
- krb5_free_principal(context, tempprinc);
- return retval;
-}
#include "int-proto.h"
static krb5_error_code
-krb5_kdcrep2creds(context, pkdcrep, address, ppcreds)
+krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds)
krb5_context context;
krb5_kdc_rep * pkdcrep;
krb5_address *const * address;
+ krb5_data * psectkt;
krb5_creds ** ppcreds;
{
krb5_error_code retval;
&(*ppcreds)->keyblock))
goto cleanup;
- (*ppcreds)->keyblock.etype = pkdcrep->ticket->enc_part.etype;
+ if (retval = krb5_copy_data(context, psectkt, &pdata))
+ goto cleanup;
+ (*ppcreds)->second_ticket = *pdata;
+ krb5_xfree(pdata);
- (*ppcreds)->magic = KV5M_CREDS;
- (*ppcreds)->is_skey = 0; /* unused */
- (*ppcreds)->times = pkdcrep->enc_part2->times;
+ (*ppcreds)->keyblock.etype = pkdcrep->ticket->enc_part.etype;
(*ppcreds)->ticket_flags = pkdcrep->enc_part2->flags;
+ (*ppcreds)->times = pkdcrep->enc_part2->times;
+ (*ppcreds)->magic = KV5M_CREDS;
- (*ppcreds)->authdata = NULL; /* not used */
- memset(&(*ppcreds)->second_ticket, 0, sizeof((*ppcreds)->second_ticket));
+ (*ppcreds)->authdata = NULL; /* not used */
+ (*ppcreds)->is_skey = 0; /* not used */
if (pkdcrep->enc_part2->caddrs) {
if (retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs,
krb5_creds ** out_cred;
{
krb5_error_code retval;
- krb5_principal tempprinc;
krb5_kdc_rep *dec_rep;
krb5_error *err_reply;
krb5_response tgsrep;
if (!tkt->ticket.length)
return KRB5_NO_TKT_SUPPLIED;
+ if ((kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY) &&
+ (!in_cred->second_ticket.length))
+ return(KRB5_NO_2ND_TKT);
+
+
/* check if we have the right TGT */
/* tkt->server must be equal to */
/* krbtgt/realmof(cred->server)@realmof(tgt->server) */
-
/*
- if (retval = krb5_tgtname(context,
+ {
+ krb5_principal tempprinc;
+ if (retval = krb5_tgtname(context,
krb5_princ_realm(context, in_cred->server),
krb5_princ_realm(context, tkt->server), &tempprinc))
- return(retval);
+ return(retval);
- if (!krb5_principal_compare(context, tempprinc, tkt->server)) {
- retval = KRB5_PRINC_NOMATCH;
- goto error_5;
+ if (!krb5_principal_compare(context, tempprinc, tkt->server)) {
+ krb5_free_principal(context, tempprinc);
+ return (KRB5_PRINC_NOMATCH);
+ }
+ krb5_free_principal(context, tempprinc);
}
*/
krb5_kdc_req_sumtype, /* To be removed */
in_cred->server, address, in_cred->authdata,
0, /* no padata */
- 0, /* no second ticket */
+ (kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY) ?
+ &in_cred->second_ticket : NULL,
tkt, &tgsrep))
- goto error_5;
+ return retval;
switch (tgsrep.message_type) {
case KRB5_TGS_REP:
/* XXX need access to the actual assembled request...
need a change to send_tgs */
if ((err_reply->ctime != request.ctime) ||
- !krb5_principal_compare(context, err_reply->server, request.server) ||
+ !krb5_principal_compare(context,err_reply->server,request.server) ||
!krb5_principal_compare(context, err_reply->client, request.client))
retval = KRB5_KDCREP_MODIFIED;
else
goto error_3;
}
- retval = krb5_kdcrep2creds(context, dec_rep, address, out_cred);
-
-
#if 0
/* XXX probably need access to the request */
/* check the contents for sanity: */
if (!request.from && !in_clock_skew(dec_rep->enc_part2->times.starttime)) {
retval = KRB5_KDCREP_SKEW;
- goto error_1;
+ goto error_3;
}
#endif
-error_1:;
- if (retval)
+ retval = krb5_kdcrep2creds(context, dec_rep, address,
+ &in_cred->second_ticket, out_cred);
error_3:;
memset(dec_rep->enc_part2->session->contents, 0,
error_4:;
free(tgsrep.response.data);
-
-error_5:;
- krb5_free_principal(context, tempprinc);
return retval;
}
const krb5_data *,
const krb5_data *,
krb5_principal *));
-krb5_error_code krb5_get_cred_via_tgt
- PROTOTYPE((krb5_context context,
- krb5_creds *,
- const krb5_flags,
- const krb5_cksumtype,
- krb5_creds *,
- krb5_creds **));
-krb5_error_code krb5_get_cred_via_2tgt
- PROTOTYPE((krb5_context context,
- krb5_creds *,
- const krb5_flags,
- const krb5_cksumtype,
- krb5_creds *,
- krb5_creds **));
#endif /* KRB5_INT_FUNC_PROTO__ */