oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Fixes to send authorization-data to the KDC.

Browse Source 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4329 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
1998-01-21 00:45:11 +00:00
parent 6e8c9e5569
commit 8fd8b388f2
1 changed files with 52 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
lib/krb5/get_cred.c
View File

@@ -42,9 +42,9 @@ RCSID("$Id$");
static krb5_error_code static krb5_error_code
make_pa_tgs_req(krb5_context context, make_pa_tgs_req(krb5_context context,
krb5_auth_context ac,
KDC_REQ_BODY *body, KDC_REQ_BODY *body,
PA_DATA *padata, PA_DATA *padata,
krb5_keyblock **subkey,
krb5_creds *creds) krb5_creds *creds)
{ {
unsigned char buf[1024]; unsigned char buf[1024];
@@ -58,16 +58,10 @@ make_pa_tgs_req(krb5_context context,
in_data.data = buf + sizeof(buf) - len; in_data.data = buf + sizeof(buf) - len;
{ {
Ticket ticket; Ticket ticket;
krb5_auth_context ac;
ret = krb5_auth_con_init(context, &ac);
if(ret)
return ret;
ret = decode_Ticket(creds->ticket.data, creds->ticket.length, ret = decode_Ticket(creds->ticket.data, creds->ticket.length,
&ticket, &len); &ticket, &len);
if(ret){ if(ret)
krb5_auth_con_free(context, ac);
return ret; return ret;
}
/* /*
* If we get a ticket encrypted with DES-CBC-CRC, it's * If we get a ticket encrypted with DES-CBC-CRC, it's
* probably an old DCE secd and then the usual heuristics of * probably an old DCE secd and then the usual heuristics of
@@ -84,10 +78,6 @@ make_pa_tgs_req(krb5_context context,
ret = krb5_mk_req_extended(context, &ac, 0, &in_data, creds, ret = krb5_mk_req_extended(context, &ac, 0, &in_data, creds,
&padata->padata_value); &padata->padata_value);
if(ret == 0)
ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
krb5_auth_con_free(context, ac);
} }
if(ret) if(ret)
return ret; return ret;
@@ -139,7 +129,7 @@ init_tgs_req (krb5_context context,
ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm); ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
if (ret) if (ret)
goto fail; goto fail;
t->req_body.sname = malloc(sizeof(*t->req_body.sname)); ALLOC(t->req_body.sname, 1);
if (t->req_body.sname == NULL) { if (t->req_body.sname == NULL) {
ret = ENOMEM; ret = ENOMEM;
goto fail; goto fail;
@@ -151,6 +141,10 @@ init_tgs_req (krb5_context context,
/* req_body.till should be NULL if there is no endtime specified, /* req_body.till should be NULL if there is no endtime specified,
but old MIT code (like DCE secd) doesn't like that */ but old MIT code (like DCE secd) doesn't like that */
ALLOC(t->req_body.till, 1); ALLOC(t->req_body.till, 1);
if(t->req_body.till == NULL){
ret = ENOMEM;
goto fail;
}
*t->req_body.till = in_creds->times.endtime; *t->req_body.till = in_creds->times.endtime;
t->req_body.nonce = nonce; t->req_body.nonce = nonce;
@@ -160,8 +154,7 @@ init_tgs_req (krb5_context context,
ret = ENOMEM; ret = ENOMEM;
goto fail; goto fail;
} }
t->req_body.additional_tickets->len = 1; ALLOC_SEQ(t->req_body.additional_tickets, 1);
ALLOC(t->req_body.additional_tickets->val, 1);
if (t->req_body.additional_tickets->val == NULL) { if (t->req_body.additional_tickets->val == NULL) {
ret = ENOMEM; ret = ENOMEM;
goto fail; goto fail;
@@ -170,27 +163,54 @@ init_tgs_req (krb5_context context,
if (ret) if (ret)
goto fail; goto fail;
} }
t->req_body.enc_authorization_data = NULL; ALLOC(t->padata, 1);
t->padata = malloc(sizeof(*t->padata));
if (t->padata == NULL) { if (t->padata == NULL) {
ret = ENOMEM; ret = ENOMEM;
goto fail; goto fail;
} }
t->padata->len = 1; ALLOC_SEQ(t->padata, 1);
t->padata->val = malloc(sizeof(*t->padata->val));
if (t->padata->val == NULL) { if (t->padata->val == NULL) {
ret = ENOMEM; ret = ENOMEM;
goto fail; goto fail;
} }
ret = make_pa_tgs_req(context, {
&t->req_body, krb5_auth_context ac;
t->padata->val, krb5_keyblock *key;
subkey, ret = krb5_auth_con_init(context, &ac);
krbtgt); if(ret)
if(ret) return ret;
goto fail; ret = krb5_generate_subkey (context, &krbtgt->session, &key);
ret = krb5_auth_con_setlocalsubkey(context, ac, key);
if(ret == ENOMEM)
/* XXX */;
if(in_creds->authdata.len){
size_t len;
unsigned char *buf;
krb5_enctype etype;
len = length_AuthorizationData(&in_creds->authdata);
buf = malloc(len);
ret = encode_AuthorizationData(buf + len - 1, len, &in_creds->authdata, &len);
ALLOC(t->req_body.enc_authorization_data, 1);
krb5_keytype_to_etype(context, key->keytype, &etype);
krb5_encrypt_EncryptedData(context, buf, len, etype, 0,
key, t->req_body.enc_authorization_data);
}else
t->req_body.enc_authorization_data = NULL;
ret = make_pa_tgs_req(context,
ac,
&t->req_body,
t->padata->val,
krbtgt);
if(ret)
goto fail;
*subkey = key;
krb5_auth_con_free(context, ac);
}
return 0; return 0;
fail: fail:
free_TGS_REQ (t); free_TGS_REQ (t);
@@ -275,9 +295,12 @@ decrypt_tkt_with_subkey (krb5_context context,
} }
static krb5_error_code static krb5_error_code
get_cred_kdc(krb5_context context, krb5_ccache id, krb5_kdc_flags flags, get_cred_kdc(krb5_context context,
krb5_ccache id,
krb5_kdc_flags flags,
krb5_addresses *addresses, krb5_addresses *addresses,
krb5_creds *in_creds, krb5_creds *krbtgt, krb5_creds *in_creds,
krb5_creds *krbtgt,
krb5_creds **out_creds) krb5_creds **out_creds)
{ {
TGS_REQ req; TGS_REQ req;