diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c index c421339c6..e1f0436fa 100644 --- a/lib/krb5/get_cred.c +++ b/lib/krb5/get_cred.c @@ -40,11 +40,6 @@ RCSID("$Id$"); -/* - * - */ - - static krb5_error_code key_proc (krb5_context context, @@ -57,148 +52,128 @@ key_proc (krb5_context context, return 0; } -krb5_error_code -krb5_get_credentials (krb5_context context, - krb5_flags options, - krb5_ccache ccache, - krb5_creds *in_creds, - krb5_creds **out_creds) +static krb5_error_code +make_pa_tgs_req(krb5_context context, + krb5_ccache id, + KDC_REQ_BODY *body, + PA_DATA *padata, + krb5_creds *creds) { + unsigned char buf[1024]; + size_t len; + krb5_data in_data; krb5_error_code ret; - TGS_REQ a; - Authenticator auth; - krb5_data authenticator; - Checksum c; - AP_REQ ap; + + encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf), + body, &len); + in_data.length = len; + in_data.data = buf + sizeof(buf) - len; + ret = krb5_mk_req_extended(context, NULL, 0, &in_data, creds, + &padata->padata_value); + if(ret) + return ret; + padata->padata_type = pa_tgs_req; + return 0; +} + +krb5_error_code +krb5_get_kdc_cred(krb5_context context, + krb5_ccache id, + krb5_kdc_flags flags, + krb5_addresses *addresses, + Ticket *second_ticket, + krb5_creds *in_creds, + krb5_creds **out_creds + ) +{ + TGS_REQ req; + krb5_data enc; + krb5_data resp; krb5_kdc_rep rep; KRB_ERROR error; - krb5_data req, resp; - char buf[BUFSIZ]; - int i; - unsigned char data[1024], buf2[1024]; + krb5_error_code ret; + + unsigned char buf[1024]; size_t len; - PA_DATA *foo; - - krb5_kdc_flags flags; - - /* - * Check if cred found in ccache - */ - - *out_creds = malloc(sizeof(**out_creds)); - memset(*out_creds, 0, sizeof(**out_creds)); - - ret = krb5_cc_retrieve_cred(context, ccache, 0, in_creds, *out_creds); - if (ret == 0) - return ret; - else if (ret != KRB5_CC_END) { - free(*out_creds); - return ret; + + memset(&req, 0, sizeof(req)); + req.pvno = 5; + req.msg_type = krb_tgs_req; + krb5_init_etype(context, + &req.req_body.etype.len, + &req.req_body.etype.val, + NULL); + req.req_body.addresses = addresses; + req.req_body.kdc_options = flags.b; + copy_Realm(&in_creds->server->realm, &req.req_body.realm); + req.req_body.sname = malloc(sizeof(*req.req_body.sname)); + copy_PrincipalName(&in_creds->server->name, req.req_body.sname); + req.req_body.till = in_creds->times.endtime; + krb5_generate_random_block(&req.req_body.nonce, + sizeof(req.req_body.nonce)); + if(second_ticket){ + req.req_body.additional_tickets = malloc(sizeof(*req.req_body.additional_tickets)); + req.req_body.additional_tickets->len = 1; + req.req_body.additional_tickets->val = malloc(sizeof(*req.req_body.additional_tickets->val)); + copy_Ticket(second_ticket, req.req_body.additional_tickets->val); } - - /* - * Prepare Tgs_Req. - */ - - memset(&a, 0, sizeof(a)); - krb5_init_etype (context, - &a.req_body.etype.len, - &a.req_body.etype.val, - NULL); - a.req_body.addresses = malloc(sizeof(*a.req_body.addresses)); - ret = krb5_get_all_client_addrs (a.req_body.addresses); - if (ret) - return ret; - - a.pvno = 5; - a.msg_type = krb_tgs_req; - - flags.i = options; - a.req_body.kdc_options = flags.b; - - copy_Realm(&in_creds->server->realm, &a.req_body.realm); - a.req_body.sname = malloc(sizeof(*a.req_body.sname)); - copy_PrincipalName(&in_creds->server->name, a.req_body.sname); - a.req_body.from = NULL; - a.req_body.till = in_creds->times.endtime; - a.req_body.rtime = NULL; - krb5_generate_random_block (&a.req_body.nonce, sizeof(a.req_body.nonce)); - a.req_body.additional_tickets = NULL; - a.req_body.enc_authorization_data = NULL; + req.req_body.enc_authorization_data = NULL; + + req.padata = malloc(sizeof(*req.padata)); + req.padata->len = 1; + req.padata->val = malloc(sizeof(*req.padata->val)); { - krb5_data in_data; - unsigned char buf[1024]; - krb5_auth_context ac = NULL; - size_t len; krb5_creds tmp_cred; - - foo = malloc (sizeof(*foo)); - - ret = encode_KDC_REQ_BODY(buf + sizeof(buf) - 1, sizeof(buf), - &a.req_body, &len); - in_data.length = len; - in_data.data = buf + sizeof(buf) - len; - - tmp_cred.client = NULL; - ret = krb5_build_principal(context, + memset(&tmp_cred, 0, sizeof(tmp_cred)); + ret = krb5_build_principal(context, &tmp_cred.server, - strlen(a.req_body.realm), - a.req_body.realm, + strlen(req.req_body.realm), + req.req_body.realm, "krbtgt", - a.req_body.realm, + req.req_body.realm, NULL); - if (ret) - return ret; - - ret = krb5_get_credentials (context, - 0, - ccache, - &tmp_cred, - out_creds); - if (ret) - return ret; - - ret = krb5_mk_req_extended(context, - &ac, - 0, - &in_data, - *out_creds, - &foo->padata_value); if(ret) return ret; - - foo->padata_type = pa_tgs_req; + ret = krb5_get_credentials(context, + 0, /* CACHE_ONLY */ + id, + &tmp_cred, + out_creds); + krb5_free_principal(context, tmp_cred.server); + if(ret) + return ret; } - a.padata = malloc(sizeof(*a.padata)); - a.padata->len = 1; - a.padata->val = foo; - - /* - * Encode - */ - - encode_TGS_REQ (buf + sizeof (buf) - 1, sizeof(buf), &a, &req.length); - req.data = buf + sizeof(buf) - req.length; - - free_TGS_REQ (&a); - + ret = make_pa_tgs_req(context, id, &req.req_body, + req.padata->val, *out_creds); + if(ret) + goto out; + + encode_TGS_REQ (buf + sizeof (buf) - 1, sizeof(buf), &req, &enc.length); + enc.data = buf + sizeof(buf) - enc.length; + /* * Send and receive */ - ret = krb5_sendto_kdc (context, &req, &in_creds->server->realm, &resp); - if (ret) { - return ret; - } - switch(((unsigned char*)resp.data)[0] & 0x1f){ - case krb_error:{ + ret = krb5_sendto_kdc (context, &enc, &in_creds->server->realm, &resp); + if (ret) + goto out; + + memset(&rep, 0, sizeof(rep)); + if(decode_TGS_REP(resp.data, resp.length, &rep.part1, &len) == 0){ + ret = extract_ticket(context, &rep, *out_creds, + &(*out_creds)->session, + NULL, + NULL, + NULL); + krb5_free_kdc_rep(context, &rep); + }else if(decode_KRB_ERROR(resp.data, resp.length, &error, &len) == 0){ +#if 0 krb5_principal princ; char *name; - ret = decode_KRB_ERROR(resp.data, resp.length, &error, &len); - if(ret) return ret; principalname2krb5_principal(&princ, error.sname, error.realm); krb5_unparse_name(context, princ, &name); fprintf(stderr, "Error: %s ", name); @@ -208,22 +183,57 @@ krb5_get_credentials (krb5_context context, fprintf(stderr, "%s", krb5_get_err_text(context, error.error_code)); fprintf(stderr, " (code %d)\n", error.error_code); - abort(); - break; - } - case krb_tgs_rep: - ret = decode_TGS_REP(resp.data, resp.length, &rep.part1, &len); - if(ret) return ret; - ret = extract_ticket(context, &rep, *out_creds, - &(*out_creds)->session, - NULL, - NULL, - NULL); - if(ret) - return ret; - return krb5_cc_store_cred (context, ccache, *out_creds); - break; - default: - return KRB5KRB_AP_ERR_MSG_TYPE; - } +#endif + ret = error.error_code; + free_KRB_ERROR(&error); + }else + ret = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_data_free(&resp); +out: + free_TGS_REQ(&req); + return ret; +} + +krb5_error_code +krb5_get_credentials (krb5_context context, + krb5_flags options, + krb5_ccache ccache, + krb5_creds *in_creds, + krb5_creds **out_creds) +{ + krb5_error_code ret; + krb5_kdc_flags flags; + krb5_addresses addresses; + + /* + * Check if cred found in ccache + */ + + *out_creds = malloc(sizeof(**out_creds)); + memset(*out_creds, 0, sizeof(**out_creds)); + + ret = krb5_cc_retrieve_cred(context, ccache, 0, in_creds, *out_creds); + + if (ret == 0) + return ret; + else if (ret != KRB5_CC_END) { + free(*out_creds); + return ret; + } + + krb5_get_all_client_addrs(&addresses); + + flags.i = options; /* XXX */ + ret = krb5_get_kdc_cred(context, + ccache, + flags, + &addresses, + NULL, + in_creds, + out_creds); + + krb5_free_addresses(context, &addresses); + if(ret) + return ret; + return krb5_cc_store_cred (context, ccache, *out_creds); }