get_for_creds.c revision 72445
1/* 2 * Copyright (c) 1997 - 2000 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#include <krb5_locl.h> 35 36RCSID("$Id: get_for_creds.c,v 1.27 2000/08/18 06:47:40 assar Exp $"); 37 38static krb5_error_code 39add_addrs(krb5_context context, 40 krb5_addresses *addr, 41 struct addrinfo *ai) 42{ 43 krb5_error_code ret; 44 unsigned n, i, j; 45 void *tmp; 46 struct addrinfo *a; 47 48 n = 0; 49 for (a = ai; a != NULL; a = a->ai_next) 50 ++n; 51 52 i = addr->len; 53 addr->len += n; 54 tmp = realloc(addr->val, addr->len * sizeof(*addr->val)); 55 if (tmp == NULL) { 56 ret = ENOMEM; 57 goto fail; 58 } 59 addr->val = tmp; 60 for (j = i; j < addr->len; ++j) { 61 addr->val[i].addr_type = 0; 62 krb5_data_zero(&addr->val[i].address); 63 } 64 for (a = ai; a != NULL; a = a->ai_next) { 65 ret = krb5_sockaddr2address (a->ai_addr, &addr->val[i]); 66 if (ret == 0) 67 ++i; 68 else if (ret != KRB5_PROG_ATYPE_NOSUPP) 69 goto fail; 70 } 71 addr->len = i; 72 return 0; 73fail: 74 krb5_free_addresses (context, addr); 75 return ret; 76} 77 78/* 79 * 80 */ 81 82krb5_error_code 83krb5_fwd_tgt_creds (krb5_context context, 84 krb5_auth_context auth_context, 85 const char *hostname, 86 krb5_principal client, 87 krb5_principal server, 88 krb5_ccache ccache, 89 int forwardable, 90 krb5_data *out_data) 91{ 92 krb5_flags flags = 0; 93 krb5_creds creds; 94 krb5_error_code ret; 95 96 flags |= KDC_OPT_FORWARDED; 97 98 if (forwardable) 99 flags |= KDC_OPT_FORWARDABLE; 100 101 102 memset (&creds, 0, sizeof(creds)); 103 creds.client = client; 104 creds.server = server; 105 106 ret = krb5_get_forwarded_creds (context, 107 auth_context, 108 ccache, 109 flags, 110 hostname, 111 &creds, 112 out_data); 113 return ret; 114} 115 116/* 117 * 118 */ 119 120krb5_error_code 121krb5_get_forwarded_creds (krb5_context context, 122 krb5_auth_context auth_context, 123 krb5_ccache ccache, 124 krb5_flags flags, 125 const char *hostname, 126 krb5_creds *in_creds, 127 krb5_data *out_data) 128{ 129 krb5_error_code ret; 130 krb5_creds *out_creds; 131 krb5_addresses addrs; 132 KRB_CRED cred; 133 KrbCredInfo *krb_cred_info; 134 EncKrbCredPart enc_krb_cred_part; 135 size_t len; 136 u_char buf[1024]; 137 int32_t sec, usec; 138 krb5_kdc_flags kdc_flags; 139 krb5_crypto crypto; 140 struct addrinfo *ai; 141 142 addrs.len = 0; 143 addrs.val = NULL; 144 145 ret = getaddrinfo (hostname, NULL, NULL, &ai); 146 if (ret) 147 return krb5_eai_to_heim_errno(ret); 148 149 ret = add_addrs (context, &addrs, ai); 150 freeaddrinfo (ai); 151 if (ret) 152 return ret; 153 154 kdc_flags.i = flags; 155 156 ret = krb5_get_kdc_cred (context, 157 ccache, 158 kdc_flags, 159 &addrs, 160 NULL, 161 in_creds, 162 &out_creds); 163 krb5_free_addresses (context, &addrs); 164 if (ret) { 165 return ret; 166 } 167 168 memset (&cred, 0, sizeof(cred)); 169 cred.pvno = 5; 170 cred.msg_type = krb_cred; 171 ALLOC_SEQ(&cred.tickets, 1); 172 if (cred.tickets.val == NULL) { 173 ret = ENOMEM; 174 goto out2; 175 } 176 ret = decode_Ticket(out_creds->ticket.data, 177 out_creds->ticket.length, 178 cred.tickets.val, &len); 179 if (ret) 180 goto out3; 181 182 memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part)); 183 ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1); 184 if (enc_krb_cred_part.ticket_info.val == NULL) { 185 ret = ENOMEM; 186 goto out4; 187 } 188 189 krb5_us_timeofday (context, &sec, &usec); 190 191 ALLOC(enc_krb_cred_part.timestamp, 1); 192 if (enc_krb_cred_part.timestamp == NULL) { 193 ret = ENOMEM; 194 goto out4; 195 } 196 *enc_krb_cred_part.timestamp = sec; 197 ALLOC(enc_krb_cred_part.usec, 1); 198 if (enc_krb_cred_part.usec == NULL) { 199 ret = ENOMEM; 200 goto out4; 201 } 202 *enc_krb_cred_part.usec = usec; 203 204 if (auth_context->local_address && auth_context->local_port) { 205 ret = krb5_make_addrport (&enc_krb_cred_part.s_address, 206 auth_context->local_address, 207 auth_context->local_port); 208 if (ret) 209 goto out4; 210 } 211 212 if (auth_context->remote_address) { 213 ALLOC(enc_krb_cred_part.r_address, 1); 214 if (enc_krb_cred_part.r_address == NULL) { 215 ret = ENOMEM; 216 goto out4; 217 } 218 219 ret = krb5_copy_address (context, auth_context->remote_address, 220 enc_krb_cred_part.r_address); 221 if (ret) 222 goto out4; 223 } 224 225 /* fill ticket_info.val[0] */ 226 227 enc_krb_cred_part.ticket_info.len = 1; 228 229 krb_cred_info = enc_krb_cred_part.ticket_info.val; 230 231 copy_EncryptionKey (&out_creds->session, &krb_cred_info->key); 232 ALLOC(krb_cred_info->prealm, 1); 233 copy_Realm (&out_creds->client->realm, krb_cred_info->prealm); 234 ALLOC(krb_cred_info->pname, 1); 235 copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname); 236 ALLOC(krb_cred_info->flags, 1); 237 *krb_cred_info->flags = out_creds->flags.b; 238 ALLOC(krb_cred_info->authtime, 1); 239 *krb_cred_info->authtime = out_creds->times.authtime; 240 ALLOC(krb_cred_info->starttime, 1); 241 *krb_cred_info->starttime = out_creds->times.starttime; 242 ALLOC(krb_cred_info->endtime, 1); 243 *krb_cred_info->endtime = out_creds->times.endtime; 244 ALLOC(krb_cred_info->renew_till, 1); 245 *krb_cred_info->renew_till = out_creds->times.renew_till; 246 ALLOC(krb_cred_info->srealm, 1); 247 copy_Realm (&out_creds->server->realm, krb_cred_info->srealm); 248 ALLOC(krb_cred_info->sname, 1); 249 copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname); 250 ALLOC(krb_cred_info->caddr, 1); 251 copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr); 252 253 krb5_free_creds (context, out_creds); 254 255 /* encode EncKrbCredPart */ 256 257 ret = krb5_encode_EncKrbCredPart (context, 258 buf + sizeof(buf) - 1, sizeof(buf), 259 &enc_krb_cred_part, &len); 260 free_EncKrbCredPart (&enc_krb_cred_part); 261 if (ret) { 262 free_KRB_CRED(&cred); 263 return ret; 264 } 265 266 ret = krb5_crypto_init(context, auth_context->local_subkey, 0, &crypto); 267 if (ret) { 268 free_KRB_CRED(&cred); 269 return ret; 270 } 271 ret = krb5_encrypt_EncryptedData (context, 272 crypto, 273 KRB5_KU_KRB_CRED, 274 buf + sizeof(buf) - len, 275 len, 276 0, 277 &cred.enc_part); 278 krb5_crypto_destroy(context, crypto); 279 if (ret) { 280 free_KRB_CRED(&cred); 281 return ret; 282 } 283 284 ret = encode_KRB_CRED (buf + sizeof(buf) - 1, sizeof(buf), 285 &cred, &len); 286 free_KRB_CRED (&cred); 287 if (ret) 288 return ret; 289 out_data->length = len; 290 out_data->data = malloc(len); 291 if (out_data->data == NULL) 292 return ENOMEM; 293 memcpy (out_data->data, buf + sizeof(buf) - len, len); 294 return 0; 295out4: 296 free_EncKrbCredPart(&enc_krb_cred_part); 297out3: 298 free_KRB_CRED(&cred); 299out2: 300 krb5_free_creds (context, out_creds); 301 return ret; 302} 303