From a33029fc3e5b3b928de52494f2410e1177310631 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 12 Aug 2003 02:18:55 +0000 Subject: [PATCH] * cnv_tkt_skey.c (krb524_convert_tkt_skey): Call krb_create_ticket instead of local version. Remove local version of krb_create_ticket. This file no longer gets included into a krb524 library, so accessing internal functions isn't that big of an issue anymore. ticket: 1714 version_reported: 1.3.1 target_version: 1.3.2 tags: pullup component: krb5-kdc git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15765 dc483132-0cff-0310-8789-dd5450dbe970 --- src/krb524/ChangeLog | 8 ++ src/krb524/cnv_tkt_skey.c | 264 ++++---------------------------------- 2 files changed, 34 insertions(+), 238 deletions(-) diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index e471212aa..b5e5b8377 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,11 @@ +2003-08-11 Tom Yu + + * cnv_tkt_skey.c (krb524_convert_tkt_skey): Call krb_create_ticket + instead of local version. Remove local version of + krb_create_ticket. This file no longer gets included into a + krb524 library, so accessing internal functions isn't that big of + an issue anymore. + 2003-06-12 Tom Yu * krb524.c (krb524_convert_creds_kdc, krb524_init_ets): Mark as diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index e8bdf7c96..c2ec9d816 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -1,3 +1,28 @@ +/* + * Copyright 2003 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + /* * Copyright 1994 by OpenVision Technologies, Inc. * @@ -35,20 +60,6 @@ static int krb524d_debug = 0; -static int -krb524int_krb_create_ticket(KTEXT, unsigned int, char *, char *, char *, long, - char *, int, long, char *, char *, C_Block); - -static int -krb524int_krb_cr_tkt_krb5(KTEXT, unsigned int, char *, char *, char *, long, - char *, int, long, char *, char *, - krb5_keyblock *); - -static int -krb524int_krb_cr_tkt_int(KTEXT, unsigned int, char *, char *, char *, long, - char *, int, long, char *, char *, C_Block, - krb5_keyblock *); - /* * Convert a v5 ticket for server to a v4 ticket, using service key * skey for both. @@ -173,7 +184,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, /* XXX are there V5 flags we should map to V4 equivalents? */ if (v4_skey->enctype == ENCTYPE_DES_CBC_CRC) { - ret = krb524int_krb_create_ticket(v4tkt, + ret = krb_create_ticket(v4tkt, 0, /* flags */ pname, pinst, @@ -195,226 +206,3 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, else return KRB524_V4ERR; } - -/***************************************************************************** - * Copied from krb4's cr_tkt. - * Modified functions below to be static. - *****************************************************************************/ - -#define HOST_BYTE_ORDER (* (const char *) &temp_ONE) -static const int temp_ONE = 1; - -/* - * Create ticket takes as arguments information that should be in a - * ticket, and the KTEXT object in which the ticket should be - * constructed. It then constructs a ticket and returns, leaving the - * newly created ticket in tkt. -#ifndef NOENCRYPTION - * The data in tkt->dat is encrypted in the server's key. -#endif - * The length of the ticket is a multiple of - * eight bytes and is in tkt->length. - * - * If the ticket is too long, the ticket will contain nulls. - * The return value of the routine is undefined. - * - * The corresponding routine to extract information from a ticket it - * decomp_ticket. When changes are made to this routine, the - * corresponding changes should also be made to that file. - * - * The packet is built in the following format: - * - * variable - * type or constant data - * ---- ----------- ---- - * - * tkt->length length of ticket (multiple of 8 bytes) - * -#ifdef NOENCRYPTION - * tkt->dat: -#else - * tkt->dat: (encrypted in server's key) -#endif - * - * unsigned char flags namely, HOST_BYTE_ORDER - * - * string pname client's name - * - * string pinstance client's instance - * - * string prealm client's realm - * - * 4 bytes paddress client's address - * - * 8 bytes session session key - * - * 1 byte life ticket lifetime - * - * 4 bytes time_sec KDC timestamp - * - * string sname service's name - * - * string sinstance service's instance - * - * <=7 bytes null null pad to 8 byte multiple - * - */ -static int -krb524int_krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, key) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int life; /* Lifetime of the ticket */ - long time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ - C_Block key; /* Service's secret key */ -{ - return krb524int_krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, - paddress, session, life, time_sec, sname, - sinstance, key, NULL); -} - -static int -krb524int_krb_cr_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, k5key) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int life; /* Lifetime of the ticket */ - long time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ - krb5_keyblock *k5key; /* NULL if not present */ -{ - C_Block key; - - return krb524int_krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, - paddress, session, life, time_sec, sname, - sinstance, key, k5key); -} - -static int -krb524int_krb_cr_tkt_int(tkt, flags_in, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, key, k5key) - KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags_in; /* Various Kerberos flags */ - char *pname; /* Principal's name */ - char *pinstance; /* Principal's instance */ - char *prealm; /* Principal's authentication domain */ - long paddress; /* Net address of requesting entity */ - char *session; /* Session key inserted in ticket */ - int life; /* Lifetime of the ticket */ - long time_sec; /* Issue time and date */ - char *sname; /* Service Name */ - char *sinstance; /* Instance Name */ - C_Block key; /* Service's secret key */ - krb5_keyblock *k5key; /* NULL if not present */ -{ - Key_schedule key_s; - register char *data; /* running index into ticket */ - - unsigned char flags = flags_in & 0xFF; /* This must be one byte */ - - tkt->length = 0; /* Clear previous data */ - - /* Check length of ticket */ - if (sizeof(tkt->dat) < (sizeof(flags) + - 1 + strlen(pname) + - 1 + strlen(pinstance) + - 1 + strlen(prealm) + - 4 + /* address */ - 8 + /* session */ - 1 + /* life */ - 4 + /* issue time */ - 1 + strlen(sname) + - 1 + strlen(sinstance) + - 7) / 8) { /* roundoff */ - memset(tkt->dat, 0, sizeof(tkt->dat)); - return KFAILURE /* XXX */; - } - - flags |= HOST_BYTE_ORDER; /* ticket byte order */ - memcpy((char *) (tkt->dat), (char *) &flags, sizeof(flags)); - data = ((char *)tkt->dat) + sizeof(flags); - (void) strcpy(data, pname); - data += 1 + strlen(pname); - (void) strcpy(data, pinstance); - data += 1 + strlen(pinstance); - (void) strcpy(data, prealm); - data += 1 + strlen(prealm); - memcpy(data, (char *) &paddress, 4); - data += 4; - - memcpy(data, (char *) session, 8); - data += 8; - *(data++) = (char) life; - /* issue time */ - memcpy(data, (char *) &time_sec, 4); - data += 4; - (void) strcpy(data, sname); - data += 1 + strlen(sname); - (void) strcpy(data, sinstance); - data += 1 + strlen(sinstance); - - /* guarantee null padded ticket to multiple of 8 bytes */ - memset(data, 0, 7); - tkt->length = ((data - ((char *)tkt->dat) + 7)/8)*8; - - /* Check length of ticket */ - if (tkt->length > (sizeof(KTEXT_ST) - 7)) { - memset(tkt->dat, 0, tkt->length); - tkt->length = 0; - return KFAILURE /* XXX */; - } - -#ifndef NOENCRYPTION - /* Encrypt the ticket in the services key */ - if (k5key != NULL) { - /* block locals */ - krb5_data in; - krb5_enc_data out; - krb5_error_code ret; - size_t enclen; - - in.length = tkt->length; - in.data = tkt->dat; - /* XXX assumes context arg is ignored */ - ret = krb5_c_encrypt_length(NULL, k5key->enctype, - (size_t)in.length, &enclen); - if (ret) - return KFAILURE; - out.ciphertext.length = enclen; - out.ciphertext.data = malloc(enclen); - if (out.ciphertext.data == NULL) - return KFAILURE; /* XXX maybe ENOMEM? */ - - /* XXX assumes context arg is ignored */ - ret = krb5_c_encrypt(NULL, k5key, KRB5_KEYUSAGE_KDC_REP_TICKET, - NULL, &in, &out); - if (ret) { - free(out.ciphertext.data); - return KFAILURE; - } else { - tkt->length = out.ciphertext.length; - memcpy(tkt->dat, out.ciphertext.data, out.ciphertext.length); - memset(out.ciphertext.data, 0, out.ciphertext.length); - free(out.ciphertext.data); - } - } else { - key_sched(key,key_s); - pcbc_encrypt((C_Block *)tkt->dat,(C_Block *)tkt->dat, - (long) tkt->length,key_s,(C_Block *)key,1); - } -#endif /* !NOENCRYPTION */ - return 0; -} -- 2.26.2