From 2b9698b4e38ae33646e3e34b097a460d4e9e278e Mon Sep 17 00:00:00 2001 From: Chris Provenzano Date: Thu, 27 Apr 1995 02:52:57 +0000 Subject: [PATCH] * gc_via_tgt.c, and gc_2tgt.c : Removed. * Makefile.in, gc_via_tkt.c, gc_frm_kdc.c, and, int-proto.h : Replaced get_cred_via_tgt() and get_cred_via_2tgt() with more general function get_cred_via_tkt(). git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5532 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/ChangeLog | 8 ++ src/lib/krb5/krb/Makefile.in | 4 - src/lib/krb5/krb/gc_2tgt.c | 204 ------------------------------- src/lib/krb5/krb/gc_frm_kdc.c | 26 ++-- src/lib/krb5/krb/gc_via_tgt.c | 223 ---------------------------------- src/lib/krb5/krb/gc_via_tkt.c | 58 +++++---- src/lib/krb5/krb/int-proto.h | 14 --- 7 files changed, 49 insertions(+), 488 deletions(-) delete mode 100644 src/lib/krb5/krb/gc_2tgt.c delete mode 100644 src/lib/krb5/krb/gc_via_tgt.c diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index b963cb4e4..cba427811 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,11 @@ + +Wed Apr 26 22:49:18 1995 Chris Provenzano (proven@mit.edu) + + * gc_via_tgt.c, and gc_2tgt.c : Removed. + * Makefile.in, gc_via_tkt.c, gc_frm_kdc.c, and, int-proto.h : + Replaced get_cred_via_tgt() and get_cred_via_2tgt() + with more general function get_cred_via_tkt(). + Tue Apr 25 21:58:23 1995 Chris Provenzano (proven@mit.edu) * Makefile.in : Added gc_via_tkt.c and removed get_fcreds.c diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in index 30729b018..0761a2216 100644 --- a/src/lib/krb5/krb/Makefile.in +++ b/src/lib/krb5/krb/Makefile.in @@ -31,9 +31,7 @@ OBJS= addr_comp.$(OBJEXT) \ free_rtree.$(OBJEXT) \ faddr_ordr.$(OBJEXT) \ gc_frm_kdc.$(OBJEXT) \ - gc_via_tgt.$(OBJEXT) \ gc_via_tkt.$(OBJEXT) \ - gc_2tgt.$(OBJEXT) \ gen_seqnum.$(OBJEXT) \ gen_subkey.$(OBJEXT) \ get_creds.$(OBJEXT) \ @@ -97,9 +95,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/free_rtree.c \ $(srcdir)/faddr_ordr.c \ $(srcdir)/gc_frm_kdc.c \ - $(srcdir)/gc_via_tgt.c \ $(srcdir)/gc_via_tkt.c \ - $(srcdir)/gc_2tgt.c \ $(srcdir)/gen_seqnum.c \ $(srcdir)/gen_subkey.c \ $(srcdir)/get_creds.c \ diff --git a/src/lib/krb5/krb/gc_2tgt.c b/src/lib/krb5/krb/gc_2tgt.c deleted file mode 100644 index c5ddcf7c4..000000000 --- a/src/lib/krb5/krb/gc_2tgt.c +++ /dev/null @@ -1,204 +0,0 @@ -/* - * lib/krb5/krb/gc_2tgt.c - * - * Copyright 1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * Given two tgts, get a ticket. - */ - -#include "k5-int.h" -#include "int-proto.h" - -krb5_error_code -krb5_get_cred_via_2tgt (context, tgt, kdcoptions, sumtype, in_cred, out_cred) - krb5_context context; - krb5_creds *tgt; - const krb5_flags kdcoptions; - const krb5_cksumtype sumtype; - krb5_creds * in_cred; - krb5_creds ** out_cred; -{ - krb5_error_code retval; -#if 0 - krb5_principal tempprinc; -#endif - krb5_data *scratch; - krb5_kdc_rep *dec_rep; - krb5_error *err_reply; - krb5_response tgsrep; - krb5_enctype etype; - - /* tgt->client must be equal to in_cred->client */ - /* tgt->server must be equal to krbtgt/realmof(cred->client) */ - if (!krb5_principal_compare(context, tgt->client, in_cred->client)) - return KRB5_PRINC_NOMATCH; - - if (!tgt->ticket.length) - return(KRB5_NO_TKT_SUPPLIED); - - if (!in_cred->second_ticket.length) - return(KRB5_NO_2ND_TKT); - -#if 0 /* What does this do? */ - if (retval = krb5_tgtname(context, krb5_princ_realm(in_cred->server), - krb5_princ_realm(context, in_cred->client), &tempprinc)) - return(retval); - - if (!krb5_principal_compare(context, tempprinc, tgt->server)) { - krb5_free_principal(context, tempprinc); - return KRB5_PRINC_NOMATCH; - } - krb5_free_principal(context, tempprinc); -#endif - - if (!(kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY)) - return KRB5_INVALID_FLAGS; - - if (retval = krb5_send_tgs(context, kdcoptions, &in_cred->times, NULL, - sumtype, in_cred->server, tgt->addresses, - in_cred->authdata, - 0, /* no padata */ - &in_cred->second_ticket, tgt, &tgsrep)) - return retval; - - if (tgsrep.message_type != KRB5_TGS_REP) - { - if (!krb5_is_krb_error(&tgsrep.response)) { - free(tgsrep.response.data); - return KRB5KRB_AP_ERR_MSG_TYPE; - } - retval = decode_krb5_error(&tgsrep.response, &err_reply); - if (retval) { - free(tgsrep.response.data); - return retval; - } - retval = err_reply->error + ERROR_TABLE_BASE_krb5; - - krb5_free_error(context, err_reply); - free(tgsrep.response.data); - return retval; - } - etype = tgt->keyblock.etype; - retval = krb5_decode_kdc_rep(context, &tgsrep.response, &tgt->keyblock, - etype, &dec_rep); - free(tgsrep.response.data); - if (retval) - return retval; - - if (dec_rep->msg_type != KRB5_TGS_REP) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - goto errout; - } - - /* now it's decrypted and ready for prime time */ - - if (!krb5_principal_compare(context, dec_rep->client, tgt->client)) { - retval = KRB5_KDCREP_MODIFIED; - goto errout; - } - - /* - * get a cred structure - * The caller is responsible for cleaning up - */ - if (((*out_cred) = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) { - retval = ENOMEM; - goto errout; - } - - /* Copy the client straig from in_cred */ - if (retval = krb5_copy_principal(context, in_cred->client, - &(*out_cred)->client)) { - goto errout; - } - - /* put pieces into out_cred-> */ - (*out_cred)->keyblock.magic = KV5M_KEYBLOCK; - (*out_cred)->keyblock.etype = dec_rep->ticket->enc_part.etype; - if (retval = krb5_copy_keyblock_contents(context, - dec_rep->enc_part2->session, - &(*out_cred)->keyblock)) - goto errout; - - /* Should verify that the ticket is what we asked for. */ -#ifdef HAVE_C_STRUCTURE_ASSIGNMENT - (*out_cred)->times = dec_rep->enc_part2->times; -#else - memcpy(&(*out_cred)->times, &dec_rep->enc_part2->times, - sizeof(krb5_ticket_times)); -#endif - - (*out_cred)->ticket_flags = dec_rep->enc_part2->flags; - (*out_cred)->is_skey = TRUE; - if (dec_rep->enc_part2->caddrs) - retval = krb5_copy_addresses(context, dec_rep->enc_part2->caddrs, - &(*out_cred)->addresses); - else - /* no addresses in the list means we got what we had */ - retval = krb5_copy_addresses(context, tgt->addresses, &(*out_cred)->addresses); - if (retval) - goto errout; - - if (retval = krb5_copy_principal(context, dec_rep->enc_part2->server, - &(*out_cred)->server)) - goto errout; - - if (retval = encode_krb5_ticket(dec_rep->ticket, &scratch)) - goto errout; - - (*out_cred)->ticket = *scratch; - krb5_xfree(scratch); - -errout: - if (retval) { - if (*out_cred) { - if ((*out_cred)->keyblock.contents) { - memset((*out_cred)->keyblock.contents, 0, - (*out_cred)->keyblock.length); - krb5_xfree((*out_cred)->keyblock.contents); - (*out_cred)->keyblock.contents = 0; - } - if ((*out_cred)->addresses) { - krb5_free_addresses(context, (*out_cred)->addresses); - (*out_cred)->addresses = 0; - } - if ((*out_cred)->server) { - krb5_free_principal(context, (*out_cred)->server); - (*out_cred)->server = 0; - } - krb5_free_creds(context, *out_cred); - } - } - memset((char *)dec_rep->enc_part2->session->contents, 0, - dec_rep->enc_part2->session->length); - krb5_free_kdc_rep(context, dec_rep); - return retval; -} - -/* - * Local variables: - * mode:c - * eval: (make-local-variable (quote c-indent-level)) - * eval: (make-local-variable (quote c-continued-statement-offset)) - * eval: (setq c-indent-level 4 c-continued-statement-offset 4) - * End: - */ - diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index 5b72ebb24..a2a7f5774 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -254,10 +254,9 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) tgtq.is_skey = FALSE; tgtq.ticket_flags = tgt.ticket_flags; etype = TGT_ETYPE; - if(retval = krb5_get_cred_via_tgt(context, &tgt, - FLAGS2OPTS(tgtq.ticket_flags), - krb5_kdc_req_sumtype, - &tgtq, &tgtr)) { + if (retval = krb5_get_cred_via_tkt(context, &tgt, + FLAGS2OPTS(tgtq.ticket_flags), + tgt.addresses, &tgtq, &tgtr)) { /* * couldn't get one so now loop backwards through the realms @@ -310,10 +309,9 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) tgtq.is_skey = FALSE; tgtq.ticket_flags = tgt.ticket_flags; etype = TGT_ETYPE; - if (retval = krb5_get_cred_via_tgt(context, &tgt, + if (retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgtq.ticket_flags), - krb5_kdc_req_sumtype, - &tgtq, &tgtr)) { + tgt.addresses, &tgtq, &tgtr)) { continue; } @@ -383,16 +381,10 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) } etype = TGT_ETYPE; - if (in_cred->second_ticket.length) { - retval = krb5_get_cred_via_2tgt(context, &tgt, - KDC_OPT_ENC_TKT_IN_SKEY | - FLAGS2OPTS(tgt.ticket_flags), - krb5_kdc_req_sumtype, in_cred, out_cred); - } else { - retval = krb5_get_cred_via_tgt(context, &tgt, - FLAGS2OPTS(tgt.ticket_flags), - krb5_kdc_req_sumtype, in_cred, out_cred); - } + retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) | + (in_cred->second_ticket.length ? + KDC_OPT_ENC_TKT_IN_SKEY : 0), + tgt.addresses, in_cred, out_cred); /* cleanup and return */ diff --git a/src/lib/krb5/krb/gc_via_tgt.c b/src/lib/krb5/krb/gc_via_tgt.c deleted file mode 100644 index 5c15a0138..000000000 --- a/src/lib/krb5/krb/gc_via_tgt.c +++ /dev/null @@ -1,223 +0,0 @@ -/* - * lib/krb5/krb/gc_via_tgt.c - * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * - * Given a tgt, and a target cred, get it. - */ - -#include "k5-int.h" -#include "int-proto.h" - -krb5_error_code -krb5_get_cred_via_tgt (context, tgt, kdcoptions, sumtype, in_cred, out_cred) - krb5_context context; - krb5_creds * tgt; - const krb5_flags kdcoptions; - const krb5_cksumtype sumtype; - krb5_creds * in_cred; - krb5_creds ** out_cred; -{ - krb5_error_code retval; - krb5_principal tempprinc; - krb5_data *scratch; - krb5_kdc_rep *dec_rep; - krb5_error *err_reply; - krb5_response tgsrep; - - /* tgt->client must be equal to in_cred->client */ - if (!krb5_principal_compare(context, tgt->client, in_cred->client)) - return KRB5_PRINC_NOMATCH; - - if (!tgt->ticket.length) - return(KRB5_NO_TKT_SUPPLIED); - - /* check if we have the right TGT */ - /* tgt->server must be equal to */ - /* krbtgt/realmof(cred->server)@realmof(tgt->server) */ - - if (retval = krb5_tgtname(context, - krb5_princ_realm(context, in_cred->server), - krb5_princ_realm(context, tgt->server), &tempprinc)) - return(retval); - - if (!krb5_principal_compare(context, tempprinc, tgt->server)) { - retval = KRB5_PRINC_NOMATCH; - goto error_5; - } - - if (retval = krb5_send_tgs(context, kdcoptions, &in_cred->times, NULL, - sumtype, in_cred->server, tgt->addresses, - in_cred->authdata, - 0, /* no padata */ - 0, /* no second ticket */ - tgt, &tgsrep)) - goto error_5; - - switch (tgsrep.message_type) { - case KRB5_TGS_REP: - break; - case KRB5_ERROR: - default: - if (krb5_is_krb_error(&tgsrep.response)) - retval = decode_krb5_error(&tgsrep.response, &err_reply); - else - retval = KRB5KRB_AP_ERR_MSG_TYPE; - - if (retval) /* neither proper reply nor error! */ - goto error_4; - -#if 0 - /* XXX need access to the actual assembled request... - need a change to send_tgs */ - if ((err_reply->ctime != request.ctime) || - !krb5_principal_compare(context, err_reply->server, request.server) || - !krb5_principal_compare(context, err_reply->client, request.client)) - retval = KRB5_KDCREP_MODIFIED; - else -#endif - retval = err_reply->error + ERROR_TABLE_BASE_krb5; - - krb5_free_error(context, err_reply); - goto error_4; - } - - if (retval = krb5_decode_kdc_rep(context, &tgsrep.response, &tgt->keyblock, - tgt->keyblock.etype, &dec_rep)) - goto error_4; - - if (dec_rep->msg_type != KRB5_TGS_REP) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - goto error_3; - } - - /* now it's decrypted and ready for prime time */ - if (!krb5_principal_compare(context, dec_rep->client, tgt->client)) { - retval = KRB5_KDCREP_MODIFIED; - goto error_3; - } - - /* get a cred structure */ - /* The caller is responsible for cleaning up */ - if (((*out_cred) = (krb5_creds *)malloc(sizeof(krb5_creds))) == NULL) { - retval = ENOMEM; - goto error_2; - } - memset((*out_cred), 0, sizeof(krb5_creds)); - - /* Copy the client straigt from in_cred */ - if (retval = krb5_copy_principal(context, in_cred->client, - &(*out_cred)->client)) { - goto error_2; - } - - /* put pieces into out_cred-> */ - if (retval = krb5_copy_keyblock_contents(context, - dec_rep->enc_part2->session, - &(*out_cred)->keyblock)) { - goto error_2; - } - - (*out_cred)->keyblock.etype = dec_rep->ticket->enc_part.etype; -#ifdef HAVE_C_STRUCTURE_ASSIGNMENT - (*out_cred)->times = dec_rep->enc_part2->times; -#else - memcpy(&(*out_cred)->times, &dec_rep->enc_part2->times, - sizeof(krb5_ticket_times)); -#endif - -#if 0 - /* XXX probably need access to the request */ - /* check the contents for sanity: */ - if (!krb5_principal_compare(context, dec_rep->client, request.client) - || !krb5_principal_compare(context, dec_rep->enc_part2->server, request.server) - || !krb5_principal_compare(context, dec_rep->ticket->server, request.server) - || (request.nonce != dec_rep->enc_part2->nonce) - /* XXX check for extraneous flags */ - /* XXX || (!krb5_addresses_compare(context, addrs, dec_rep->enc_part2->caddrs)) */ - || ((request.from != 0) && - (request.from != dec_rep->enc_part2->times.starttime)) - || ((request.till != 0) && - (dec_rep->enc_part2->times.endtime > request.till)) - || ((request.kdc_options & KDC_OPT_RENEWABLE) && - (request.rtime != 0) && - (dec_rep->enc_part2->times.renew_till > request.rtime)) - || ((request.kdc_options & KDC_OPT_RENEWABLE_OK) && - (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && - (request.till != 0) && - (dec_rep->enc_part2->times.renew_till > request.till)) - ) - retval = KRB5_KDCREP_MODIFIED; - - if (!request.from && !in_clock_skew(dec_rep->enc_part2->times.starttime)) { - retval = KRB5_KDCREP_SKEW; - goto error_1; - } - -#endif - - (*out_cred)->ticket_flags = dec_rep->enc_part2->flags; - (*out_cred)->is_skey = FALSE; - if (dec_rep->enc_part2->caddrs) { - if (retval = krb5_copy_addresses(context, dec_rep->enc_part2->caddrs, - &(*out_cred)->addresses)) { - goto error_1; - } - } else { - /* no addresses in the list means we got what we had */ - if (retval = krb5_copy_addresses(context, tgt->addresses, - &(*out_cred)->addresses)) { - goto error_1; - } - } - if (retval = krb5_copy_principal(context, dec_rep->enc_part2->server, - &(*out_cred)->server)) { - goto error_1; - } - - if (retval = encode_krb5_ticket(dec_rep->ticket, &scratch)) { - krb5_free_addresses(context, (*out_cred)->addresses); - goto error_1; - } - - (*out_cred)->ticket = *scratch; - krb5_xfree(scratch); - -error_1:; - if (retval) - memset((*out_cred)->keyblock.contents, 0, (*out_cred)->keyblock.length); - -error_2:; - if (retval) - krb5_free_creds(context, *out_cred); - -error_3:; - memset(dec_rep->enc_part2->session->contents, 0, - dec_rep->enc_part2->session->length); - krb5_free_kdc_rep(context, dec_rep); - -error_4:; - free(tgsrep.response.data); - -error_5:; - krb5_free_principal(context, tempprinc); - return retval; -} diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index c548b3d37..87a4de255 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -29,10 +29,11 @@ #include "int-proto.h" static krb5_error_code -krb5_kdcrep2creds(context, pkdcrep, address, ppcreds) +krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds) krb5_context context; krb5_kdc_rep * pkdcrep; krb5_address *const * address; + krb5_data * psectkt; krb5_creds ** ppcreds; { krb5_error_code retval; @@ -57,15 +58,18 @@ krb5_kdcrep2creds(context, pkdcrep, address, ppcreds) &(*ppcreds)->keyblock)) goto cleanup; - (*ppcreds)->keyblock.etype = pkdcrep->ticket->enc_part.etype; + if (retval = krb5_copy_data(context, psectkt, &pdata)) + goto cleanup; + (*ppcreds)->second_ticket = *pdata; + krb5_xfree(pdata); - (*ppcreds)->magic = KV5M_CREDS; - (*ppcreds)->is_skey = 0; /* unused */ - (*ppcreds)->times = pkdcrep->enc_part2->times; + (*ppcreds)->keyblock.etype = pkdcrep->ticket->enc_part.etype; (*ppcreds)->ticket_flags = pkdcrep->enc_part2->flags; + (*ppcreds)->times = pkdcrep->enc_part2->times; + (*ppcreds)->magic = KV5M_CREDS; - (*ppcreds)->authdata = NULL; /* not used */ - memset(&(*ppcreds)->second_ticket, 0, sizeof((*ppcreds)->second_ticket)); + (*ppcreds)->authdata = NULL; /* not used */ + (*ppcreds)->is_skey = 0; /* not used */ if (pkdcrep->enc_part2->caddrs) { if (retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs, @@ -105,7 +109,6 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) krb5_creds ** out_cred; { krb5_error_code retval; - krb5_principal tempprinc; krb5_kdc_rep *dec_rep; krb5_error *err_reply; krb5_response tgsrep; @@ -117,19 +120,27 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) if (!tkt->ticket.length) return KRB5_NO_TKT_SUPPLIED; + if ((kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY) && + (!in_cred->second_ticket.length)) + return(KRB5_NO_2ND_TKT); + + /* check if we have the right TGT */ /* tkt->server must be equal to */ /* krbtgt/realmof(cred->server)@realmof(tgt->server) */ - /* - if (retval = krb5_tgtname(context, + { + krb5_principal tempprinc; + if (retval = krb5_tgtname(context, krb5_princ_realm(context, in_cred->server), krb5_princ_realm(context, tkt->server), &tempprinc)) - return(retval); + return(retval); - if (!krb5_principal_compare(context, tempprinc, tkt->server)) { - retval = KRB5_PRINC_NOMATCH; - goto error_5; + if (!krb5_principal_compare(context, tempprinc, tkt->server)) { + krb5_free_principal(context, tempprinc); + return (KRB5_PRINC_NOMATCH); + } + krb5_free_principal(context, tempprinc); } */ @@ -137,9 +148,10 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) krb5_kdc_req_sumtype, /* To be removed */ in_cred->server, address, in_cred->authdata, 0, /* no padata */ - 0, /* no second ticket */ + (kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY) ? + &in_cred->second_ticket : NULL, tkt, &tgsrep)) - goto error_5; + return retval; switch (tgsrep.message_type) { case KRB5_TGS_REP: @@ -158,7 +170,7 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) /* XXX need access to the actual assembled request... need a change to send_tgs */ if ((err_reply->ctime != request.ctime) || - !krb5_principal_compare(context, err_reply->server, request.server) || + !krb5_principal_compare(context,err_reply->server,request.server) || !krb5_principal_compare(context, err_reply->client, request.client)) retval = KRB5_KDCREP_MODIFIED; else @@ -184,9 +196,6 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) goto error_3; } - retval = krb5_kdcrep2creds(context, dec_rep, address, out_cred); - - #if 0 /* XXX probably need access to the request */ /* check the contents for sanity: */ @@ -212,13 +221,13 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) if (!request.from && !in_clock_skew(dec_rep->enc_part2->times.starttime)) { retval = KRB5_KDCREP_SKEW; - goto error_1; + goto error_3; } #endif -error_1:; - if (retval) + retval = krb5_kdcrep2creds(context, dec_rep, address, + &in_cred->second_ticket, out_cred); error_3:; memset(dec_rep->enc_part2->session->contents, 0, @@ -227,8 +236,5 @@ error_3:; error_4:; free(tgsrep.response.data); - -error_5:; - krb5_free_principal(context, tempprinc); return retval; } diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index 0a08e39cd..7ad90e0e8 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -33,20 +33,6 @@ krb5_error_code krb5_tgtname const krb5_data *, const krb5_data *, krb5_principal *)); -krb5_error_code krb5_get_cred_via_tgt - PROTOTYPE((krb5_context context, - krb5_creds *, - const krb5_flags, - const krb5_cksumtype, - krb5_creds *, - krb5_creds **)); -krb5_error_code krb5_get_cred_via_2tgt - PROTOTYPE((krb5_context context, - krb5_creds *, - const krb5_flags, - const krb5_cksumtype, - krb5_creds *, - krb5_creds **)); #endif /* KRB5_INT_FUNC_PROTO__ */ -- 2.26.2