/*
- * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
*
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
*
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
*
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
*
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
#include <krb5_locl.h>
-RCSID("$Id: rd_req.c 22235 2007-12-08 21:52:07Z lha $");
+RCSID("$Id$");
static krb5_error_code
decrypt_tkt_enc_part (krb5_context context,
if (ret)
return ret;
- ret = krb5_decode_EncTicketPart(context, plain.data, plain.length,
+ ret = krb5_decode_EncTicketPart(context, plain.data, plain.length,
decr_part, &len);
krb5_data_free (&plain);
return ret;
if (ret)
return ret;
- ret = krb5_decode_Authenticator(context, plain.data, plain.length,
+ ret = krb5_decode_Authenticator(context, plain.data, plain.length,
authenticator, &len);
krb5_data_free (&plain);
return ret;
return ret;
if (ap_req->pvno != 5){
free_AP_REQ(ap_req);
- krb5_clear_error_string (context);
+ krb5_clear_error_message (context);
return KRB5KRB_AP_ERR_BADVERSION;
}
if (ap_req->msg_type != krb_ap_req){
free_AP_REQ(ap_req);
- krb5_clear_error_string (context);
+ krb5_clear_error_message (context);
return KRB5KRB_AP_ERR_MSG_TYPE;
}
if (ap_req->ticket.tkt_vno != 5){
free_AP_REQ(ap_req);
- krb5_clear_error_string (context);
+ krb5_clear_error_message (context);
return KRB5KRB_AP_ERR_BADVERSION;
}
return 0;
check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
{
char **realms;
- int num_realms;
+ unsigned int num_realms;
krb5_error_code ret;
-
- /*
+
+ /*
* Windows 2000 and 2003 uses this inside their TGT so it's normaly
* not seen by others, however, samba4 joined with a Windows AD as
* a Domain Controller gets exposed to this.
if(enc->transited.contents.length == 0)
return 0;
- ret = krb5_domain_x500_decode(context, enc->transited.contents,
- &realms, &num_realms,
+ ret = krb5_domain_x500_decode(context, enc->transited.contents,
+ &realms, &num_realms,
enc->crealm,
ticket->realm);
if(ret)
return ret;
- ret = krb5_check_transited(context, enc->crealm,
- ticket->realm,
+ ret = krb5_check_transited(context, enc->crealm,
+ ticket->realm,
realms, num_realms, NULL);
free(realms);
return ret;
etypes,
NULL);
if (ret)
- krb5_clear_error_string(context);
+ krb5_clear_error_message(context);
free_AD_IF_RELEVANT(&adIfRelevant);
ret = decrypt_tkt_enc_part (context, key, &ticket->enc_part, &t);
if (ret)
return ret;
-
+
{
krb5_timestamp now;
time_t start = t.authtime;
|| (t.flags.invalid
&& !(flags & KRB5_VERIFY_AP_REQ_IGNORE_INVALID))) {
free_EncTicketPart(&t);
- krb5_clear_error_string (context);
+ krb5_clear_error_message (context);
return KRB5KRB_AP_ERR_TKT_NYV;
}
if(now - t.endtime > context->max_skew) {
free_EncTicketPart(&t);
- krb5_clear_error_string (context);
+ krb5_clear_error_message (context);
return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
}
}
}
-
+
if(out)
*out = t;
else
krb5_keyblock *key;
krb5_authenticator authenticator;
krb5_crypto crypto;
-
+
ret = krb5_auth_con_getauthenticator (context,
ac,
&authenticator);
krb5_auth_context ac;
krb5_error_code ret;
EtypeList etypes;
-
+
if (ticket)
*ticket = NULL;
t = calloc(1, sizeof(*t));
if (t == NULL) {
ret = ENOMEM;
- krb5_clear_error_string (context);
+ krb5_clear_error_message (context);
goto out;
}
if (ap_req->ap_options.use_session_key && ac->keyblock){
- ret = krb5_decrypt_ticket(context, &ap_req->ticket,
- ac->keyblock,
+ ret = krb5_decrypt_ticket(context, &ap_req->ticket,
+ ac->keyblock,
&t->ticket,
flags);
krb5_free_keyblock(context, ac->keyblock);
ac->keyblock = NULL;
}else
- ret = krb5_decrypt_ticket(context, &ap_req->ticket,
- keyblock,
+ ret = krb5_decrypt_ticket(context, &ap_req->ticket,
+ keyblock,
&t->ticket,
flags);
-
+
if(ret)
goto out;
ret = _krb5_principalname2krb5_principal(context,
&t->server,
- ap_req->ticket.sname,
+ ap_req->ticket.sname,
ap_req->ticket.realm);
if (ret) goto out;
ret = _krb5_principalname2krb5_principal(context,
&t->client,
- t->ticket.cname,
+ t->ticket.cname,
t->ticket.crealm);
if (ret) goto out;
- /* save key */
-
- ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
- if (ret) goto out;
-
ret = decrypt_authenticator (context,
&t->ticket.key,
&ap_req->authenticator,
ac->authenticator->cname,
ac->authenticator->crealm);
_krb5_principalname2krb5_principal(context,
- &p2,
+ &p2,
t->ticket.cname,
t->ticket.crealm);
res = krb5_principal_compare (context, p1, p2);
krb5_free_principal (context, p2);
if (!res) {
ret = KRB5KRB_AP_ERR_BADMATCH;
- krb5_clear_error_string (context);
+ krb5_clear_error_message (context);
goto out;
}
}
ac->remote_address,
t->ticket.caddr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
- krb5_clear_error_string (context);
+ krb5_clear_error_message (context);
goto out;
}
if (abs(ac->authenticator->ctime - now) > context->max_skew) {
ret = KRB5KRB_AP_ERR_SKEW;
- krb5_clear_error_string (context);
+ krb5_clear_error_message (context);
goto out;
}
}
}
}
+ /* save key */
+ ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
+ if (ret) goto out;
+
if (ap_req_options) {
*ap_req_options = 0;
if (ac->keytype != ETYPE_NULL)
krb5_auth_con_free (context, ac);
return ret;
}
-
+
/*
*
*/
{
*ctx = calloc(1, sizeof(**ctx));
if (*ctx == NULL) {
- krb5_set_error_string(context, "out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
(*ctx)->check_pac = (context->flags & KRB5_CTX_F_CHECK_PAC) ? 1 : 0;
}
krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_in_set_keytab(krb5_context context,
+krb5_rd_req_in_set_keytab(krb5_context context,
krb5_rd_req_in_ctx in,
krb5_keytab keytab)
{
/**
* Set if krb5_rq_red() is going to check the Windows PAC or not
- *
+ *
* @param context Keberos 5 context.
* @param in krb5_rd_req_in_ctx to check the option on.
* @param flag flag to select if to check the pac (TRUE) or not (FALSE).
*/
krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_in_set_pac_check(krb5_context context,
+krb5_rd_req_in_set_pac_check(krb5_context context,
krb5_rd_req_in_ctx in,
krb5_boolean flag)
{
krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_in_set_keyblock(krb5_context context,
+krb5_rd_req_in_set_keyblock(krb5_context context,
krb5_rd_req_in_ctx in,
krb5_keyblock *keyblock)
{
}
krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_out_get_ap_req_options(krb5_context context,
+krb5_rd_req_out_get_ap_req_options(krb5_context context,
krb5_rd_req_out_ctx out,
krb5_flags *ap_req_options)
{
}
krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_out_get_ticket(krb5_context context,
+krb5_rd_req_out_get_ticket(krb5_context context,
krb5_rd_req_out_ctx out,
krb5_ticket **ticket)
{
}
krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_out_get_keyblock(krb5_context context,
+krb5_rd_req_out_get_keyblock(krb5_context context,
krb5_rd_req_out_ctx out,
krb5_keyblock **keyblock)
{
{
*ctx = calloc(1, sizeof(**ctx));
if (*ctx == NULL) {
- krb5_set_error_string(context, "out of memory");
+ krb5_set_error_message(context, ENOMEM,
+ N_("malloc: out of memory", ""));
return ENOMEM;
}
return 0;
ret = krb5_rd_req_in_ctx_alloc(context, &in);
if (ret)
return ret;
-
+
ret = krb5_rd_req_in_set_keytab(context, in, keytab);
if (ret) {
krb5_rd_req_in_ctx_free(context, in);
ret = krb5_rd_req_in_ctx_alloc(context, &in);
if (ret)
return ret;
-
+
ret = krb5_rd_req_in_set_keyblock(context, in, keyblock);
if (ret) {
krb5_rd_req_in_ctx_free(context, in);
krb5_kt_default(context, &real_keytab);
else
real_keytab = keytab;
-
+
if (ap_req->ticket.enc_part.kvno)
kvno = *ap_req->ticket.enc_part.kvno;
else
goto out;
ret = krb5_copy_keyblock(context, &entry.keyblock, out_key);
krb5_kt_free_entry (context, &entry);
-out:
+out:
if(keytab == NULL)
krb5_kt_close(context, real_keytab);
-
+
return ret;
}
}
if (ap_req.ap_options.use_session_key &&
(*auth_context)->keyblock == NULL) {
- krb5_set_error_string(context, "krb5_rd_req: user to user auth "
- "without session key given");
ret = KRB5KRB_AP_ERR_NOKEY;
+ krb5_set_error_message(context, ret,
+ N_("krb5_rd_req: user to user auth "
+ "without session key given", ""));
goto out;
}
if (inctx && inctx->keytab)
keytab = inctx->keytab;
- ret = get_key_from_keytab(context,
- auth_context,
+ ret = get_key_from_keytab(context,
+ auth_context,
&ap_req,
server,
keytab,
goto out;
ret = krb5_pac_verify(context,
- pac,
+ pac,
o->ticket->ticket.authtime,
- o->ticket->client,
- o->keyblock,
+ o->ticket->client,
+ o->keyblock,
NULL);
krb5_pac_free(context, pac);
if (ret)
out:
if (ret || outctx == NULL) {
krb5_rd_req_out_ctx_free(context, o);
- } else
+ } else
*outctx = o;
free_AP_REQ(&ap_req);