}
if (authfrom->subkey) {
- if (!(tempto->subkey =
- (krb5_keyblock *)malloc(sizeof(*tempto->subkey)))) {
- krb5_free_checksum(tempto->checksum);
- krb5_free_principal(tempto->client);
- xfree(tempto);
- return ENOMEM;
- }
if (retval = krb5_copy_keyblock(authfrom->subkey,
- tempto->subkey)) {
+ &tempto->subkey)) {
xfree(tempto->subkey);
krb5_free_checksum(tempto->checksum);
krb5_free_principal(tempto->client);
* $Source$
* $Author$
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
*
* For copying and distribution information, please see the file
* <krb5/copyright.h>.
"$Id$";
#endif /* !lint & !SABER */
-#include <krb5/copyright.h>
#include <krb5/krb5.h>
#include <krb5/ext-proto.h>
goto cleanlast;
if (retval = krb5_copy_principal(incred->server, &tempcred->server))
goto cleanclient;
- if (retval = krb5_copy_keyblock(&incred->keyblock, &tempcred->keyblock))
+ if (retval = krb5_copy_keyblock_contents(&incred->keyblock,
+ &tempcred->keyblock))
goto cleanserver;
if (retval = krb5_copy_addresses(incred->addresses, &tempcred->addresses))
goto cleanblock;
if (retval = krb5_copy_data(&incred->ticket, &scratch))
goto cleanaddrs;
tempcred->ticket = *scratch;
- free((char *)scratch);
+ xfree(scratch);
if (retval = krb5_copy_data(&incred->second_ticket,
&scratch))
goto cleanticket;
tempcred->second_ticket = *scratch;
- free((char *)scratch);
+ xfree(scratch);
*outcred = tempcred;
return 0;
cleanaddrs:
krb5_free_address(tempcred->addresses);
cleanblock:
- free((char *)tempcred->keyblock.contents);
+ xfree(tempcred->keyblock.contents);
cleanserver:
krb5_free_principal(tempcred->server);
cleanclient:
krb5_free_principal(tempcred->client);
cleanlast:
- free((char *)tempcred);
+ xfree(tempcred);
return retval;
}
* $Source$
* $Author$
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
*
* For copying and distribution information, please see the file
* <krb5/copyright.h>.
"$Id$";
#endif /* !lint & !SABER */
-#include <krb5/copyright.h>
#include <krb5/krb5.h>
#include <krb5/ext-proto.h>
krb5_error_code
krb5_copy_keyblock(from, to)
const krb5_keyblock *from;
-krb5_keyblock *to;
+krb5_keyblock **to;
{
- *to = *from;
- to->contents = (krb5_octet *)malloc(to->length);
- if (!to->contents)
- return ENOMEM;
- memcpy((char *)to->contents, (char *)from->contents, to->length);
- return 0;
+ krb5_keyblock *new_key;
+
+ if (!(new_key = (krb5_keyblock *) malloc(sizeof(krb5_keyblock))))
+ return ENOMEM;
+ *new_key = *from;
+ if (!(new_key->contents = (krb5_octet *)malloc(new_key->length))) {
+ xfree(new_key);
+ return(ENOMEM);
+ }
+ memcpy((char *)new_key->contents, (char *)from->contents,
+ new_key->length);
+ *to = new_key;
+ return 0;
}
if (!(tempto = (krb5_enc_tkt_part *)malloc(sizeof(*tempto))))
return ENOMEM;
*tempto = *partfrom;
- if (!(tempto->session =
- (krb5_keyblock *)malloc(sizeof(*tempto->session)))) {
- xfree(tempto);
- return ENOMEM;
- }
if (retval = krb5_copy_keyblock(partfrom->session,
- tempto->session)) {
+ &tempto->session)) {
xfree(tempto->session);
xfree(tempto);
return retval;
* $Source$
* $Author$
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
*
* For copying and distribution information, please see the file
* <krb5/copyright.h>.
"$Id$";
#endif /* !lint & !SABER */
-#include <krb5/copyright.h>
#include <krb5/krb5.h>
#include <krb5/asn1.h>
#include <krb5/libos-proto.h>
/* XXX issue warning if as_reply->enc_part2->key_exp is nearby */
/* fill in the credentials */
- if (retval = krb5_copy_keyblock(as_reply->enc_part2->session,
- &creds->keyblock)) {
+ if (retval = krb5_copy_keyblock_contents(as_reply->enc_part2->session,
+ &creds->keyblock)) {
memset((char *)as_reply->enc_part2->session->contents, 0,
as_reply->enc_part2->session->length);
krb5_free_kdc_rep(as_reply);
}
#define cleanup_key() {memset((char *)creds->keyblock.contents, 0,\
creds->keyblock.length); \
- free((char *)creds->keyblock.contents); \
+ xfree(creds->keyblock.contents); \
creds->keyblock.contents = 0; \
creds->keyblock.length = 0;}
return retval;
}
creds->ticket = *packet;
- free((char *) packet);
+ xfree(packet);
/* store it in the ccache! */
if (retval = krb5_cc_store_cred(ccache, creds)) {
/* clean up the pieces */
- free((char *)creds->ticket.data);
+ xfree(creds->ticket.data);
krb5_free_address(creds->addresses);
cleanup_key();
return retval;
* $Source$
* $Author$
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
*
* For copying and distribution information, please see the file
* <krb5/copyright.h>.
"$Id$";
#endif /* !lint & !SABER */
-#include <krb5/copyright.h>
#include <krb5/krb5.h>
#include <krb5/ext-proto.h>
}
#define cleanup() {if (arg->client) (void) krb5_kt_free_entry(&kt_ent);}
- realkey = (krb5_keyblock *)malloc(sizeof(*realkey));
- if (!realkey) {
- cleanup();
- return ENOMEM;
- }
-
if (arg->key)
- retval = krb5_copy_keyblock(arg->key, realkey);
+ retval = krb5_copy_keyblock(arg->key, &realkey);
else
- retval = krb5_copy_keyblock(&kt_ent.key, realkey);
+ retval = krb5_copy_keyblock(&kt_ent.key, &realkey);
if (retval) {
- free((char *)realkey);
+ xfree(realkey);
cleanup();
return retval;
}
int components = 0;
const char *parsed_realm = NULL;
int fcompsize[FCOMPNUM];
- char default_realm[512];
+ static char *default_realm = NULL;
krb5_data **principal;
krb5_error_code retval;
* realm....
*/
if (!parsed_realm) {
- retval = krb5_get_default_realm(sizeof(default_realm),
- default_realm);
- if (retval)
+ if (!default_realm &&
+ (retval = krb5_get_default_realm(&default_realm)))
return(retval);
principal[0]->length = fcompsize[0] = strlen(default_realm);
}
#include <krb5/ext-proto.h>
/*
- Parses an error message from enc_errbuf and fills in the contents of
- dec_error.
-
- Upon return dec_error->client,server,text, if non-NULL, point to allocated
- storage which the caller should free when finished.
-
- returns system errors
+ * Parses an error message from enc_errbuf and returns an allocated
+ * structure which contain the error message.
+ *
+ * Upon return dec_error will point to allocated storage which the
+ * caller should free when finished.
+ *
+ * returns system errors
*/
krb5_error_code
krb5_rd_error( enc_errbuf, dec_error)
const krb5_data *enc_errbuf;
-krb5_error *dec_error;
+krb5_error **dec_error;
{
- krb5_error_code retval;
- krb5_error *new_dec_error;
-
if (!krb5_is_krb_error(enc_errbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
- if (retval = decode_krb5_error(enc_errbuf, &new_dec_error))
- return(retval);
- *dec_error = *new_dec_error;
- (void)free((char *)new_dec_error);
- return 0;
+ return(decode_krb5_error(enc_errbuf, dec_error));
}
DECLARG(krb5_int32, seq_number),
DECLARG(krb5_int32, priv_flags),
DECLARG(krb5_pointer, i_vector),
+ DECLARG(krb5_rcache, rcache),
DECLARG(krb5_data *, outbuf))
OLDDECLARG(const krb5_data *, inbuf)
OLDDECLARG(const krb5_keyblock *, key)
OLDDECLARG(krb5_int32, seq_number)
OLDDECLARG(krb5_int32, priv_flags)
OLDDECLARG(krb5_pointer, i_vector)
+OLDDECLARG(krb5_rcache, rcache),
OLDDECLARG(krb5_data *, outbuf)
{
krb5_error_code retval;
*/
#if !defined(lint) && !defined(SABER)
-static char rcsid_rd_req_dec_c[] =
+static char rcsid_rd_rep_dec_c[] =
"$Id$";
#endif /* !lint & !SABER */
#include <krb5/asn1.h>
/*
- Parses a KRB_AP_REP message, returning its contents.
-
- repl is filled in with the fields from the encrypted response.
-
- the key in kblock is used to decrypt the message.
-
- returns system errors, encryption errors, replay errors
+ * Parses a KRB_AP_REP message, returning its contents.
+ *
+ * repl is filled in with with a pointer to allocated memory containing
+ * the fields from the encrypted response.
+ *
+ * the key in kblock is used to decrypt the message.
+ *
+ * returns system errors, encryption errors, replay errors
*/
krb5_error_code
krb5_rd_rep(inbuf, kblock, repl)
const krb5_data *inbuf;
const krb5_keyblock *kblock;
-krb5_ap_rep_enc_part *repl;
+krb5_ap_rep_enc_part **repl;
{
krb5_error_code retval;
krb5_ap_rep *reply;
krb5_encrypt_block eblock;
krb5_data scratch;
- krb5_ap_rep_enc_part *local_repl;
if (!krb5_is_ap_rep(inbuf))
return KRB5KRB_AP_ERR_MSG_TYPE;
return retval;
}
/* now decode the decrypted stuff */
- if (!(retval = decode_krb5_ap_rep_enc_part(&scratch, &local_repl))) {
- *repl = *local_repl;
- free((char *)local_repl);
- }
+ retval = decode_krb5_ap_rep_enc_part(&scratch, repl);
clean_scratch();
return retval;
}
#include <krb5/ext-proto.h>
/*
- Parses a KRB_AP_REQ message, returning its contents.
-
- server specifies the expected server's name for the ticket.
-
- sender_addr specifies the address(es) expected to be present in the
- ticket.
-
- rcache specifies a replay detection cache used to store authenticators and
- server names
-
- keyproc specifies a procedure to generate a decryption key for the
- ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result
- used as a decryption key. If keyproc is NULL, then fetchfrom is checked;
- if it is non-NULL, it specifies a parameter name from which to retrieve the
- decryption key. If fetchfrom is NULL, then the default key store is
- consulted.
-
- authdat->ticket and authdat->authenticator are set to allocated storage
- structures; the caller should free them when finished.
-
- returns system errors, encryption errors, replay errors
+ * Parses a KRB_AP_REQ message, returning its contents.
+ *
+ * server specifies the expected server's name for the ticket.
+ *
+ * sender_addr specifies the address(es) expected to be present in the
+ * ticket.
+ *
+ * rcache specifies a replay detection cache used to store authenticators and
+ * server names
+ *
+ * keyproc specifies a procedure to generate a decryption key for the
+ * ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result
+ * used as a decryption key. If keyproc is NULL, then fetchfrom is checked;
+ * if it is non-NULL, it specifies a parameter name from which to retrieve the
+ * decryption key. If fetchfrom is NULL, then the default key store is
+ * consulted.
+ *
+ * authdat is set to point at allocated storage structures; the caller
+ * should free them when finished.
+ *
+ * returns system errors, encryption errors, replay errors
*/
/* widen prototypes, if needed */
rdreq_key_proc keyproc;
krb5_pointer keyprocarg;
krb5_rcache rcache;
-krb5_tkt_authent *authdat;
+krb5_tkt_authent **authdat;
{
krb5_error_code retval;
krb5_ap_req *request;
#include <krb5/asn1.h>
/*
- essentially the same as krb_rd_req, but uses a decoded AP_REQ as the input
- rather than an encoded input.
+ * essentially the same as krb_rd_req, but uses a decoded AP_REQ as
+ * the input rather than an encoded input.
*/
/*
- Parses a KRB_AP_REQ message, returning its contents.
-
- server specifies the expected server's name for the ticket; if NULL, then
- any server will be accepted if the key can be found, and the caller should
- verify that the principal is something it trusts.
-
- sender_addr specifies the address(es) expected to be present in the
- ticket.
-
- rcache specifies a replay detection cache used to store authenticators and
- server names
-
- keyproc specifies a procedure to generate a decryption key for the
- ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result
- used as a decryption key. If keyproc is NULL, then fetchfrom is checked;
- if it is non-NULL, it specifies a parameter name from which to retrieve the
- decryption key. If fetchfrom is NULL, then the default key store is
- consulted.
-
- authdat->ticket and authdat->authenticator are set to allocated storage
- structures; the caller should free them when finished.
-
- returns system errors, encryption errors, replay errors
+ * Parses a KRB_AP_REQ message, returning its contents.
+ *
+ * server specifies the expected server's name for the ticket; if NULL, then
+ * any server will be accepted if the key can be found, and the caller should
+ * verify that the principal is something it trusts.
+ *
+ * sender_addr specifies the address(es) expected to be present in the
+ * ticket.
+ *
+ * rcache specifies a replay detection cache used to store authenticators and
+ * server names
+ *
+ * keyproc specifies a procedure to generate a decryption key for the
+ * ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result
+ * used as a decryption key. If keyproc is NULL, then fetchfrom is checked;
+ * if it is non-NULL, it specifies a parameter name from which to retrieve the
+ * decryption key. If fetchfrom is NULL, then the default key store is
+ * consulted.
+ *
+ * authdat is set to point at allocated storage structures; the caller
+ * should free them when finished.
+ *
+ * returns system errors, encryption errors, replay errors
*/
/* widen prototypes, if needed */
#include <krb5/widen.h>
-static krb5_error_code decrypt_authenticator PROTOTYPE((const krb5_ap_req *,
- krb5_authenticator **));
-typedef krb5_error_code (*rdreq_key_proc) PROTOTYPE((krb5_pointer,
- krb5_principal,
- krb5_kvno,
- krb5_keyblock **));
+static krb5_error_code decrypt_authenticator
+ PROTOTYPE((const krb5_ap_req *, krb5_authenticator **));
+typedef krb5_error_code (*rdreq_key_proc)
+ PROTOTYPE((krb5_pointer, krb5_principal, krb5_kvno, krb5_keyblock **));
+
/* and back to normal... */
#include <krb5/narrow.h>
krb5_error_code
krb5_rd_req_decoded(req, server, sender_addr, fetchfrom, keyproc, keyprocarg,
- rcache, tktauthent)
+ rcache, authdat)
const krb5_ap_req *req;
krb5_const_principal server;
const krb5_address *sender_addr;
rdreq_key_proc keyproc;
krb5_pointer keyprocarg;
krb5_rcache rcache;
-krb5_tkt_authent *tktauthent;
+krb5_tkt_authent **authdat;
{
- krb5_error_code retval;
- krb5_keyblock *tkt_key;
- krb5_keyblock tkt_key_real;
+ krb5_error_code retval = 0;
+ krb5_keyblock *tkt_key = NULL;
krb5_timestamp currenttime, starttime;
-
+ krb5_tkt_authent *tktauthent = NULL;
if (server && !krb5_principal_compare(server, req->ticket->server))
return KRB5KRB_AP_WRONG_PRINC;
req->ticket->enc_part.kvno, &ktentry);
(void) krb5_kt_close(keytabid);
if (!retval) {
- retval = krb5_copy_keyblock(&ktentry.key, &tkt_key_real);
- tkt_key = &tkt_key_real;
+ retval = krb5_copy_keyblock(&ktentry.key, &tkt_key);
(void) krb5_kt_free_entry(&ktentry);
}
}
return retval; /* some error in getting the key */
/* decrypt the ticket */
- if (retval = krb5_decrypt_tkt_part(tkt_key, req->ticket))
+ if (retval = krb5_decrypt_tkt_part(tkt_key, req->ticket)) {
+ krb5_free_keyblock(tkt_key);
return(retval);
+ }
-#define clean_ticket() krb5_free_enc_tkt_part(req->ticket->enc_part2)
-
- if (retval = decrypt_authenticator(req, &tktauthent->authenticator)) {
- clean_ticket();
- return retval;
+ /*
+ * Now we allocate space for the krb5_tkt_authent structure. If
+ * we ever have an error, we're responsible for freeing it.
+ */
+ if (!(tktauthent =
+ (krb5_tkt_authent *) malloc(sizeof(krb5_tkt_authent)))) {
+ retval = ENOMEM;
+ goto cleanup;
}
-#define clean_authenticator() {(void) krb5_free_authenticator(tktauthent->authenticator); tktauthent->authenticator = 0;}
+
+ if (retval = decrypt_authenticator(req, &tktauthent->authenticator))
+ goto cleanup;
+ *authdat = NULL; /* Set authdat to tktauthent when we finish */
if (!krb5_principal_compare(tktauthent->authenticator->client,
req->ticket->enc_part2->client)) {
- clean_authenticator();
- return KRB5KRB_AP_ERR_BADMATCH;
+ retval = KRB5KRB_AP_ERR_BADMATCH;
+ goto cleanup;
}
if (sender_addr && !krb5_address_search(sender_addr, req->ticket->enc_part2->caddrs)) {
- clean_authenticator();
- return KRB5KRB_AP_ERR_BADADDR;
+ retval = KRB5KRB_AP_ERR_BADADDR;
+ goto cleanup;
}
- if (retval = krb5_timeofday(¤ttime)) {
- clean_authenticator();
- return retval;
- }
+ if (retval = krb5_timeofday(¤ttime))
+ goto cleanup;
if (!in_clock_skew(tktauthent->authenticator->ctime)) {
- clean_authenticator();
- return KRB5KRB_AP_ERR_SKEW;
+ retval = KRB5KRB_AP_ERR_SKEW;
+ goto cleanup;
}
tktauthent->ticket = req->ticket; /* only temporarily...allocated
if (rcache) {
krb5_donot_replay rep;
- if (retval = krb5_auth_to_rep(tktauthent, &rep)) {
- tktauthent->ticket = 0;
- clean_authenticator();
- return retval;
- }
- if (retval = krb5_rc_store(rcache, &rep)) {
- xfree(rep.server);
- xfree(rep.client);
- tktauthent->ticket = 0;
- clean_authenticator();
- return retval;
- }
+ if (retval = krb5_auth_to_rep(tktauthent, &rep))
+ goto cleanup;
+ retval = krb5_rc_store(rcache, &rep);
xfree(rep.server);
xfree(rep.client);
+ if (retval)
+ goto cleanup;
}
tktauthent->ticket = 0;
starttime = req->ticket->enc_part2->times.authtime;
if (starttime - currenttime > krb5_clockskew) {
- clean_authenticator();
- return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */
+ retval = KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */
+ goto cleanup;
}
if (currenttime - req->ticket->enc_part2->times.endtime > krb5_clockskew) {
- clean_authenticator();
- return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */
+ retval = KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */
+ goto cleanup;
}
if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
- clean_authenticator();
- return KRB5KRB_AP_ERR_TKT_INVALID;
+ retval = KRB5KRB_AP_ERR_TKT_INVALID;
+ goto cleanup;
+ }
+ retval = krb5_copy_ticket(req->ticket, &tktauthent->ticket);
+
+cleanup:
+ if (tktauthent) {
+ if (retval) {
+ krb5_free_tkt_authent(tktauthent);
+ } else {
+ tktauthent->ap_options = req->ap_options;
+ *authdat = tktauthent;
+ }
+ }
+ if (retval && req->ticket->enc_part2) {
+ /* only free if we're erroring out...otherwise some
+ applications will need the output. */
+ krb5_free_enc_tkt_part(req->ticket->enc_part2);
+ req->ticket->enc_part2 = NULL;
}
- if (retval = krb5_copy_ticket(req->ticket, &tktauthent->ticket)) {
- clean_authenticator();
- } else
- tktauthent->ap_options = req->ap_options;
+ if (tkt_key)
+ krb5_free_keyblock(tkt_key);
return retval;
}
#include <krb5/ext-proto.h>
/*
- Parses a KRB_AP_REQ message, returning its contents.
-
- server specifies the expected server's name for the ticket.
-
- sender_addr specifies the address(es) expected to be present in the
- ticket.
-
- A replay cache name derived from the first component of the service name
- is used.
-
- The default key store is consulted to find the service key.
-
- authdat->ticket and authdat->authenticator are set to allocated storage
- structures; the caller should free them when finished.
-
- returns system errors, encryption errors, replay errors
+ * Parses a KRB_AP_REQ message, returning its contents.
+ *
+ * server specifies the expected server's name for the ticket.
+ *
+ * sender_addr specifies the address(es) expected to be present in the
+ * ticket.
+ *
+ * A replay cache name derived from the first component of the service name
+ * is used.
+ *
+ * The default key store is consulted to find the service key.
+ *
+ * authdat isset to point at allocated structures; the caller should
+ * free it when finished.
+ *
+ * returns system errors, encryption errors, replay errors
*/
krb5_error_code
const krb5_data *inbuf;
krb5_const_principal server;
const krb5_address *sender_addr;
-krb5_tkt_authent *authdat;
+krb5_tkt_authent **authdat;
{
krb5_error_code retval;
krb5_ap_req *request;
returns system errors, integrity errors
*/
krb5_error_code
-krb5_rd_safe(inbuf, key, sender_addr, recv_addr, seq_number, safe_flags, outbuf)
+krb5_rd_safe(inbuf, key, sender_addr, recv_addr, seq_number, safe_flags,
+ rcache, outbuf)
const krb5_data *inbuf;
const krb5_keyblock *key;
const krb5_address *sender_addr;
const krb5_address *recv_addr;
krb5_int32 seq_number;
krb5_int32 safe_flags;
+krb5_rcache rcache;
krb5_data *outbuf;
{
krb5_error_code retval;