From de00ff394c1880319401e113a1ea983bf99cd075 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Thu, 8 Aug 2002 06:52:05 +0000 Subject: [PATCH] * cr_tkt.c (krb_cr_tkt_int): Don't take key arguments any more. (krb_create_ticket, krb_cr_tkt_krb5): Do the encryption here; drop NOENCRYPTION test. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14688 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb4/ChangeLog | 6 +++ src/lib/krb4/cr_tkt.c | 115 ++++++++++++++++++++--------------------- 2 files changed, 63 insertions(+), 58 deletions(-) diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog index 0f9259016..13de98d40 100644 --- a/src/lib/krb4/ChangeLog +++ b/src/lib/krb4/ChangeLog @@ -1,3 +1,9 @@ +2002-08-07 Ken Raeburn + + * cr_tkt.c (krb_cr_tkt_int): Don't take key arguments any more. + (krb_create_ticket, krb_cr_tkt_krb5): Do the encryption here; drop + NOENCRYPTION test. + 2002-07-30 Ken Raeburn * log.c: Include stdarg.h. diff --git a/src/lib/krb4/cr_tkt.c b/src/lib/krb4/cr_tkt.c index deff714f5..2c01257d8 100644 --- a/src/lib/krb4/cr_tkt.c +++ b/src/lib/krb4/cr_tkt.c @@ -33,10 +33,9 @@ static int krb_cr_tkt_int (KTEXT tkt, unsigned int flags_in, char *pname, - char *pinstance, char *prealm, long paddress, - char *session, int life, long time_sec, - char *sname, char *sinstance, C_Block key, - krb5_keyblock *k5key); + char *pinstance, char *prealm, long paddress, + char *session, int life, long time_sec, + char *sname, char *sinstance); /* * Create ticket takes as arguments information that should be in a @@ -97,7 +96,7 @@ int krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress, session, life, time_sec, sname, sinstance, key) KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags; /* Various Kerberos flags */ + unsigned int flags; /* Various Kerberos flags */ char *pname; /* Principal's name */ char *pinstance; /* Principal's instance */ char *prealm; /* Principal's authentication domain */ @@ -109,16 +108,27 @@ krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress, char *sinstance; /* Instance Name */ C_Block key; /* Service's secret key */ { - return krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, - key, NULL); + int kerr; + Key_schedule key_s; + + kerr = krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, + session, life, time_sec, sname, sinstance); + if (kerr) + return kerr; + + /* Encrypt the ticket in the services key */ + key_sched(key, key_s); + pcbc_encrypt((C_Block *)tkt->dat, (C_Block *)tkt->dat, + (long)tkt->length, key_s, (C_Block *)key, 1); + memset(key_s, 0, sizeof(key_s)); + return 0; } int krb_cr_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress, session, life, time_sec, sname, sinstance, k5key) KTEXT tkt; /* Gets filled in by the ticket */ - unsigned int flags; /* Various Kerberos flags */ + unsigned int flags; /* Various Kerberos flags */ char *pname; /* Principal's name */ char *pinstance; /* Principal's instance */ char *prealm; /* Principal's authentication domain */ @@ -130,16 +140,49 @@ krb_cr_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress, char *sinstance; /* Instance Name */ krb5_keyblock *k5key; /* NULL if not present */ { - C_Block key; + int kerr; + krb5_data in; + krb5_enc_data out; + krb5_error_code ret; + size_t enclen; + + kerr = krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, + paddress, session, life, time_sec, + sname, sinstance); + if (kerr) + return kerr; - return krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, - key, k5key); + /* Encrypt the ticket in the services key */ + in.length = tkt->length; + in.data = (char *)tkt->dat; + /* XXX assumes context arg is ignored */ + ret = krb5_c_encrypt_length(NULL, k5key->enctype, + (size_t)in.length, &enclen); + if (ret) + return KFAILURE; + out.ciphertext.length = enclen; + out.ciphertext.data = malloc(enclen); + if (out.ciphertext.data == NULL) + return KFAILURE; /* XXX maybe ENOMEM? */ + + /* XXX assumes context arg is ignored */ + ret = krb5_c_encrypt(NULL, k5key, KRB5_KEYUSAGE_KDC_REP_TICKET, + NULL, &in, &out); + if (ret) { + free(out.ciphertext.data); + return KFAILURE; + } else { + tkt->length = out.ciphertext.length; + memcpy(tkt->dat, out.ciphertext.data, out.ciphertext.length); + memset(out.ciphertext.data, 0, out.ciphertext.length); + free(out.ciphertext.data); + } + return 0; } static int krb_cr_tkt_int(tkt, flags_in, pname, pinstance, prealm, paddress, - session, life, time_sec, sname, sinstance, key, k5key) + session, life, time_sec, sname, sinstance) KTEXT tkt; /* Gets filled in by the ticket */ unsigned int flags_in; /* Various Kerberos flags */ char *pname; /* Principal's name */ @@ -151,10 +194,7 @@ krb_cr_tkt_int(tkt, flags_in, pname, pinstance, prealm, paddress, long time_sec; /* Issue time and date */ char *sname; /* Service Name */ char *sinstance; /* Instance Name */ - C_Block key; /* Service's secret key */ - krb5_keyblock *k5key; /* NULL if not present */ { - Key_schedule key_s; register unsigned char *data; /* running index into ticket */ size_t pnamelen, pinstlen, prealmlen, snamelen, sinstlen; struct in_addr paddr; @@ -210,46 +250,5 @@ krb_cr_tkt_int(tkt, flags_in, pname, pinstance, prealm, paddress, /* guarantee null padded ticket to multiple of 8 bytes */ memset(data, 0, 7); tkt->length = ((data - tkt->dat + 7) / 8) * 8; - -#ifndef NOENCRYPTION - /* Encrypt the ticket in the services key */ - if (k5key != NULL) { - /* block locals */ - krb5_data in; - krb5_enc_data out; - krb5_error_code ret; - size_t enclen; - - in.length = tkt->length; - in.data = (char *)tkt->dat; - /* XXX assumes context arg is ignored */ - ret = krb5_c_encrypt_length(NULL, k5key->enctype, - (size_t)in.length, &enclen); - if (ret) - return KFAILURE; - out.ciphertext.length = enclen; - out.ciphertext.data = malloc(enclen); - if (out.ciphertext.data == NULL) - return KFAILURE; /* XXX maybe ENOMEM? */ - - /* XXX assumes context arg is ignored */ - ret = krb5_c_encrypt(NULL, k5key, KRB5_KEYUSAGE_KDC_REP_TICKET, - NULL, &in, &out); - if (ret) { - free(out.ciphertext.data); - return KFAILURE; - } else { - tkt->length = out.ciphertext.length; - memcpy(tkt->dat, out.ciphertext.data, out.ciphertext.length); - memset(out.ciphertext.data, 0, out.ciphertext.length); - free(out.ciphertext.data); - } - } else { - key_sched(key, key_s); - pcbc_encrypt((C_Block *)tkt->dat, (C_Block *)tkt->dat, - (long)tkt->length, key_s, (C_Block *)key, 1); - memset(key_s, 0, sizeof(key_s)); - } -#endif /* !NOENCRYPTION */ return 0; } -- 2.26.2