44a083081c
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@871 ec53bebd-3082-4978-b11e-865c3cabbd6b
272 lines
7.3 KiB
C
272 lines
7.3 KiB
C
#include "krb5_locl.h"
|
|
#include <krb5_error.h>
|
|
|
|
static krb5_error_code
|
|
krb5_get_salt (krb5_principal princ,
|
|
krb5_data realm,
|
|
krb5_data *salt)
|
|
{
|
|
size_t len;
|
|
int i;
|
|
krb5_error_code err;
|
|
char *p;
|
|
|
|
len = realm.length;
|
|
for (i = 0; i < princ->ncomp; ++i)
|
|
len += princ->comp[i].length;
|
|
err = krb5_data_alloc (salt, len);
|
|
if (err)
|
|
return err;
|
|
p = salt->data;
|
|
strncpy (p, realm.data, realm.length);
|
|
p += realm.length;
|
|
for (i = 0; i < princ->ncomp; ++i) {
|
|
strncpy (p, princ->comp[i].data, princ->comp[i].length);
|
|
p += princ->comp[i].length;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static krb5_error_code
|
|
decrypt_tkt (krb5_context context,
|
|
const krb5_keyblock *key,
|
|
krb5_const_pointer decrypt_arg,
|
|
krb5_kdc_rep *dec_rep)
|
|
{
|
|
des_key_schedule sched;
|
|
char *buf;
|
|
int i;
|
|
int len = dec_rep->part1.enc_part.cipher.length;
|
|
|
|
des_set_key (key->contents.data, sched);
|
|
buf = malloc (len);
|
|
if (buf == NULL)
|
|
return ENOMEM;
|
|
des_cbc_encrypt ((des_cblock *)dec_rep->part1.enc_part.cipher.data,
|
|
(des_cblock *)buf,
|
|
len,
|
|
sched,
|
|
key->contents.data,
|
|
DES_DECRYPT);
|
|
/* XXX: Check CRC */
|
|
|
|
i = decode_EncTGSRepPart((unsigned char*)buf + 12, len - 12, &dec_rep->part2);
|
|
free (buf);
|
|
if (i < 0)
|
|
return ASN1_PARSE_ERROR;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
*
|
|
*/
|
|
|
|
krb5_error_code
|
|
krb5_principal2principalname (PrincipalName *p,
|
|
krb5_principal from)
|
|
{
|
|
int i;
|
|
|
|
p->name_type = from->type;
|
|
p->name_string.len = from->ncomp;
|
|
p->name_string.val = malloc(from->ncomp * sizeof(*p->name_string.val));
|
|
for (i = 0; i < from->ncomp; ++i) {
|
|
int len = from->comp[i].length;
|
|
p->name_string.val[i] = malloc(len + 1);
|
|
strncpy (p->name_string.val[i], from->comp[i].data, len);
|
|
p->name_string.val[i][len] = '\0';
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
krb5_error_code
|
|
principalname2krb5_principal (krb5_principal p,
|
|
PrincipalName from,
|
|
krb5_data realm)
|
|
{
|
|
int i;
|
|
|
|
p = malloc (sizeof(*p));
|
|
p->type = from.name_type;
|
|
p->ncomp = from.name_string.len;
|
|
p->comp = malloc (p->ncomp * sizeof(*p->comp));
|
|
for (i = 0; i < p->ncomp; ++i) {
|
|
int len = strlen(from.name_string.val[i]) + 1;
|
|
p->comp[i].length = len;
|
|
p->comp[i].data = strdup(from.name_string.val[i]);
|
|
}
|
|
p->realm = realm;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
*
|
|
*/
|
|
|
|
krb5_error_code
|
|
krb5_get_in_tkt(krb5_context context,
|
|
krb5_flags options,
|
|
krb5_address *const *addrs,
|
|
const krb5_enctype *etypes,
|
|
const krb5_preauthtype *ptypes,
|
|
krb5_key_proc key_proc,
|
|
krb5_const_pointer keyseed,
|
|
krb5_decrypt_proc decrypt_proc,
|
|
krb5_const_pointer decryptarg,
|
|
krb5_creds *creds,
|
|
krb5_ccache ccache,
|
|
krb5_kdc_rep **ret_as_reply)
|
|
{
|
|
krb5_error_code err;
|
|
AS_REQ a;
|
|
krb5_kdc_rep rep;
|
|
krb5_data req, resp;
|
|
char buf[BUFSIZ];
|
|
krb5_data salt;
|
|
krb5_keyblock *key;
|
|
|
|
a.pvno = 5;
|
|
a.msg_type = krb_as_req;
|
|
memset (&a.req_body.kdc_options, 0, sizeof(a.req_body.kdc_options));
|
|
/* a.kdc_options */
|
|
a.req_body.cname = malloc(sizeof(*a.req_body.cname));
|
|
a.req_body.sname = malloc(sizeof(*a.req_body.sname));
|
|
krb5_principal2principalname (a.req_body.cname, creds->client);
|
|
krb5_principal2principalname (a.req_body.sname, creds->server);
|
|
a.req_body.realm = malloc(creds->client->realm.length + 1);
|
|
strncpy (a.req_body.realm, creds->client->realm.data,
|
|
creds->client->realm.length);
|
|
a.req_body.realm[creds->client->realm.length] = '\0';
|
|
|
|
a.req_body.till = creds->times.endtime;
|
|
a.req_body.nonce = 17;
|
|
if (etypes)
|
|
abort ();
|
|
else {
|
|
err = krb5_get_default_in_tkt_etypes (context,
|
|
(krb5_enctype**)&a.req_body.etype.val);
|
|
if (err)
|
|
return err;
|
|
a.req_body.etype.len = 1;
|
|
}
|
|
if (addrs){
|
|
} else {
|
|
a.req_body.addresses = malloc(sizeof(*a.req_body.addresses));
|
|
|
|
err = krb5_get_all_client_addrs ((krb5_addresses*)a.req_body.addresses);
|
|
if (err)
|
|
return err;
|
|
}
|
|
a.req_body.enc_authorization_data = NULL;
|
|
a.req_body.additional_tickets = NULL;
|
|
a.padata = NULL;
|
|
|
|
req.length = encode_AS_REQ ((unsigned char*)buf + sizeof(buf) - 1,
|
|
sizeof(buf),
|
|
&a);
|
|
if (req.length < 0)
|
|
return ASN1_PARSE_ERROR;
|
|
req.data = buf + sizeof(buf) - req.length;
|
|
if (addrs == NULL) {
|
|
int i;
|
|
|
|
for (i = 0; i < a.req_body.addresses->len; ++i)
|
|
krb5_data_free (&a.req_body.addresses->val[i].address);
|
|
free (a.req_body.addresses->val);
|
|
}
|
|
|
|
err = krb5_sendto_kdc (context, &req, &creds->client->realm, &resp);
|
|
if (err) {
|
|
return err;
|
|
}
|
|
if(decode_AS_REP(resp.data, resp.length, &rep.part1) < 0)
|
|
return ASN1_PARSE_ERROR;
|
|
|
|
free (rep.part1.crealm);
|
|
/* krb5_principal_free (rep.part1.cname);*/
|
|
creds->ticket.kvno = rep.part1.ticket.tkt_vno;
|
|
creds->ticket.etype = rep.part1.enc_part.etype;
|
|
creds->ticket.enc_part.length = 0;
|
|
creds->ticket.enc_part.data = NULL;
|
|
krb5_data_copy (&creds->ticket.enc_part,
|
|
rep.part1.ticket.enc_part.cipher.data,
|
|
rep.part1.ticket.enc_part.cipher.length);
|
|
krb5_data_free (&rep.part1.ticket.enc_part.cipher);
|
|
|
|
principalname2krb5_principal (creds->ticket.sprinc,
|
|
rep.part1.ticket.sname,
|
|
creds->client->realm);
|
|
/* krb5_free_principal (rep.part1.ticket.sprinc);*/
|
|
|
|
salt.length = 0;
|
|
salt.data = NULL;
|
|
err = krb5_get_salt (creds->client, creds->client->realm, &salt);
|
|
if (err)
|
|
return err;
|
|
err = (*key_proc)(context, rep.part1.enc_part.etype, &salt,
|
|
keyseed, &key);
|
|
krb5_data_free (&salt);
|
|
if (err)
|
|
return err;
|
|
|
|
if (decrypt_proc == NULL)
|
|
decrypt_proc = decrypt_tkt;
|
|
|
|
err = (*decrypt_proc)(context, key, decryptarg, &rep);
|
|
if (err)
|
|
return err;
|
|
memset (key->contents.data, 0, key->contents.length);
|
|
krb5_data_free (&key->contents);
|
|
free (key);
|
|
if (rep.part2.key_expiration)
|
|
free (rep.part2.key_expiration);
|
|
if (rep.part2.starttime) {
|
|
creds->times.starttime = *rep.part2.starttime;
|
|
free (rep.part2.starttime);
|
|
} else
|
|
creds->times.starttime = rep.part2.authtime;
|
|
if (rep.part2.renew_till) {
|
|
creds->times.renew_till = *rep.part2.renew_till;
|
|
free (rep.part2.renew_till);
|
|
} else
|
|
creds->times.renew_till = rep.part2.endtime;
|
|
creds->times.authtime = rep.part2.authtime;
|
|
creds->times.endtime = rep.part2.endtime;
|
|
#if 0 /* What? */
|
|
if (rep.part2.req.values)
|
|
free (rep.part2.req.values);
|
|
#endif
|
|
#if 0
|
|
if (rep.part2.caddr.addrs) {
|
|
int i;
|
|
|
|
for (i = 0; i < rep.part2.caddr.number; ++i) {
|
|
krb5_data_free (&rep.part2.caddr.addrs[i].address);
|
|
}
|
|
free (rep.part2.caddr.addrs);
|
|
}
|
|
krb5_principal_free (rep.part2.sname);
|
|
krb5_data_free (&rep.part2.srealm);
|
|
#endif
|
|
|
|
if (err)
|
|
return err;
|
|
|
|
creds->session.contents.length = 0;
|
|
creds->session.contents.data = NULL;
|
|
creds->session.keytype = rep.part2.key.keytype;
|
|
err = krb5_data_copy (&creds->session.contents,
|
|
rep.part2.key.keyvalue.data,
|
|
rep.part2.key.keyvalue.length);
|
|
memset (rep.part2.key.keyvalue.data, 0,
|
|
rep.part2.key.keyvalue.length);
|
|
krb5_data_free (&rep.part2.key.keyvalue);
|
|
creds->authdata.length = 0;
|
|
creds->authdata.data = NULL;
|
|
|
|
if (err)
|
|
return err;
|
|
|
|
return krb5_cc_store_cred (context, ccache, creds);
|
|
}
|