* auth_con.h auth_con.c Added for krb5_auth_con definition and

support routines. * mk_req.c (krb5_mk_req()) * mk_req_ext.c (krb5_mk_req_extended()) * rd_rep.c (krb5_rd_rep()) * sendauth.c (krb5_sendauth()) * mk_priv.c (krb5_mk_priv()) * mk_safe.c (krb5_mk_safe()) * rd_priv.c (krb5_rd_priv()) * rd_safe.c (krb5_rd_safe()) Added a krb5_auth_context argument and eliminated many of the other arguments because they are included in the krb5_auth_context structure. * send_tgs.c (krb5_send_tgs()) Eliminate call to krb5_mk_req_extended(), which does far more than krb5_send_tgs() needs. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5099 dc483132-0cff-0310-8789-dd5450dbe970
author: Chris Provenzano <proven@mit.edu> 1995-03-10 17:26:04 +0000
committer: Chris Provenzano <proven@mit.edu> 1995-03-10 17:26:04 +0000
commit: b2f49b74f53d6deafc39fc0069de3e249a383b13 (patch)
tree: 339c5c75b96c433c666183d92478c11ccc42d669 /src/lib/krb5/krb/rd_safe.c
parent: 84ea6e41500ad94dd417841b307d142d7055e056 (diff)
download: krb5-b2f49b74f53d6deafc39fc0069de3e249a383b13.tar.gz
krb5-b2f49b74f53d6deafc39fc0069de3e249a383b13.tar.xz
krb5-b2f49b74f53d6deafc39fc0069de3e249a383b13.zip
1 files changed, 124 insertions, 92 deletions
diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c
index 68c264bc8e..f97ca201b5 100644
--- a/src/lib/krb5/krb/rd_safe.c
+++ b/src/lib/krb5/krb/rd_safe.c
@@ -25,6 +25,7 @@
  */
 
 #include "k5-int.h"
+#include "auth_con.h"
 
 extern krb5_deltat krb5_clockskew;
 #define in_clock_skew(date) (labs((date)-currenttime) < krb5_clockskew)
@@ -42,21 +43,19 @@ extern krb5_deltat krb5_clockskew;
 
  returns system errors, integrity errors
  */
-krb5_error_code INTERFACE
-krb5_rd_safe(context, inbuf, key, sender_addr, recv_addr, seq_number, 
-	     safe_flags, rcache, outbuf)
-    krb5_context context;
-    const krb5_data *inbuf;
-    const krb5_keyblock *key;
-    const krb5_address *sender_addr;
-    const krb5_address *recv_addr;
-    krb5_int32 seq_number;
-    krb5_int32 safe_flags;
-    krb5_rcache rcache;
-    krb5_data *outbuf;
+static krb5_error_code
+krb5_rd_safe_basic(context, inbuf, keyblock, recv_addr, sender_addr, 
+	     	   replaydata, outbuf)
+    krb5_context          context;
+    const krb5_data     * inbuf;
+    const krb5_keyblock * keyblock;
+    const krb5_address  * recv_addr;
+    const krb5_address  * sender_addr;
+    krb5_replay_data    * replaydata; 
+    krb5_data           * outbuf;
 {
-    krb5_error_code retval;
-    krb5_safe *message;
+    krb5_error_code 	  retval;
+    krb5_safe 		* message;
     krb5_checksum our_cksum, *his_cksum;
     krb5_octet zero_octet = 0;
     krb5_data *scratch;
@@ -68,79 +67,37 @@ krb5_rd_safe(context, inbuf, key, sender_addr, recv_addr, seq_number,
     if (retval = decode_krb5_safe(inbuf, &message))
 	return retval;
 
-#define cleanup() krb5_free_safe(context, message)
-
     if (!valid_cksumtype(message->checksum->checksum_type)) {
-	cleanup();
-	return KRB5_PROG_SUMTYPE_NOSUPP;
+	retval = KRB5_PROG_SUMTYPE_NOSUPP;
+	goto cleanup;
     }
     if (!is_coll_proof_cksum(message->checksum->checksum_type) ||
 	!is_keyed_cksum(message->checksum->checksum_type)) {
-	cleanup();
-	return KRB5KRB_AP_ERR_INAPP_CKSUM;
-    }
-
-    if (!(safe_flags & KRB5_SAFE_NOTIME)) {
-	krb5_donot_replay replay;
-
-	if (retval = krb5_timeofday(context, &currenttime)) {
-	    cleanup();
-	    return retval;
-	}
-	/* in_clock_skew #defined above */
-	if (!in_clock_skew(message->timestamp)) {
-	    cleanup();
-	    return KRB5KRB_AP_ERR_SKEW;
-	}
-	if (!rcache) {
-	    /* gotta provide an rcache in this case... */
-	    cleanup();
-	    return KRB5_RC_REQUIRED;
-	}
-	if (retval = krb5_gen_replay_name(context, sender_addr, "_safe",
-					  &replay.client)) {
-	    cleanup();
-	    return retval;
-	}
-	replay.server = "";		/* XXX */
-	replay.cusec = message->usec;
-	replay.ctime = message->timestamp;
-	if (retval = krb5_rc_store(context, rcache, &replay)) {
-	    krb5_xfree(replay.client);
-	    cleanup();
-	    return retval;
-	}
-	krb5_xfree(replay.client);
+	retval = KRB5KRB_AP_ERR_INAPP_CKSUM;
+	goto cleanup;
     }
 
-    if (safe_flags & KRB5_SAFE_DOSEQUENCE)
-	if (message->seq_number != seq_number) {
-	    cleanup();
-	    return KRB5KRB_AP_ERR_BADORDER;
-	}
-
     if (!krb5_address_compare(context, sender_addr, message->s_address)) {
-	cleanup();
-	return KRB5KRB_AP_ERR_BADADDR;
+	retval = KRB5KRB_AP_ERR_BADADDR;
+	goto cleanup;
     }
 
     if (message->r_address) {
 	if (recv_addr) {
 	    if (!krb5_address_compare(context, recv_addr, message->r_address)) {
-		cleanup();
-		return KRB5KRB_AP_ERR_BADADDR;
+		retval = KRB5KRB_AP_ERR_BADADDR;
+		goto cleanup;
 	    }
 	} else {
 	    krb5_address **our_addrs;
 	
-	    if (retval = krb5_os_localaddr( &our_addrs)) {
-		cleanup();
-		return retval;
-	    }
+	    if (retval = krb5_os_localaddr( &our_addrs)) 
+		goto cleanup;
+	    
 	    if (!krb5_address_search(context, message->r_address, our_addrs)) {
 		krb5_free_addresses(context, our_addrs);
-		cleanup();
-		return KRB5KRB_AP_ERR_BADADDR;
+		retval = KRB5KRB_AP_ERR_BADADDR;
+		goto cleanup;
 	    }
 	    krb5_free_addresses(context, our_addrs);
 	}
@@ -152,56 +109,131 @@ krb5_rd_safe(context, inbuf, key, sender_addr, recv_addr, seq_number,
      */
     his_cksum = message->checksum;
 
-    our_cksum.checksum_type = 0;
     our_cksum.length = 0;
+    our_cksum.checksum_type = 0;
     our_cksum.contents = &zero_octet;
 
     message->checksum = &our_cksum;
 
-    if (retval = encode_krb5_safe(message, &scratch)) {
-	message->checksum = his_cksum;
-	cleanup();
-	return retval;
-    }
+    if (retval = encode_krb5_safe(message, &scratch)) 
+	goto cleanup;
+
     message->checksum = his_cksum;
 			 
     if (!(our_cksum.contents = (krb5_octet *)
 	  malloc(krb5_checksum_size(context, his_cksum->checksum_type)))) {
-	cleanup();
-	return ENOMEM;
+	retval = ENOMEM;
+	goto cleanup;
     }
 
-#undef cleanup
-#define cleanup() {krb5_free_safe(context, message); krb5_xfree(our_cksum.contents);}
-
     retval = krb5_calculate_checksum(context, his_cksum->checksum_type,
 				     scratch->data, scratch->length,
-				     (krb5_pointer) key->contents,
-				     key->length, &our_cksum);
+				     (krb5_pointer) keyblock->contents,
+				     keyblock->length, &our_cksum);
     (void) memset((char *)scratch->data, 0, scratch->length);
     krb5_free_data(context, scratch);
     
     if (retval) {
-	cleanup();
-	return retval;
+	goto cleanup_cksum;
     }
 
     if (our_cksum.length != his_cksum->length ||
 	memcmp((char *)our_cksum.contents, (char *)his_cksum->contents,
 	       our_cksum.length)) {
-	cleanup();
-	return KRB5KRB_AP_ERR_MODIFIED;
+	retval = KRB5KRB_AP_ERR_MODIFIED;
+	goto cleanup_cksum;
     }
 
+    replaydata->timestamp = message->timestamp;
+    replaydata->usec = message->usec;
+    replaydata->seq = message->seq_number;
+
     *outbuf = message->user_data;
+    message->user_data.data = NULL;
 
-    krb5_xfree(our_cksum.contents);
-    if (message->s_address)
-	krb5_free_address(context, message->s_address);
-    if (message->r_address)
-	krb5_free_address(context, message->r_address);
     krb5_free_checksum(context, his_cksum);
-    krb5_xfree(message);
+    return 0;
 
+cleanup_cksum:
+    krb5_xfree(our_cksum.contents);
+
+cleanup:
+    krb5_free_safe(context, message);
+    return retval;
+}
+
+krb5_error_code INTERFACE
+krb5_rd_safe(context, auth_context, inbuf, outbuf, outdata)
+    krb5_context 	context;
+    krb5_auth_context *  auth_context;
+    const krb5_data   * inbuf;
+    krb5_data 	      * outbuf;
+    krb5_replay_data  * outdata;
+{
+    krb5_error_code 	retval;
+    krb5_replay_data	replaydata;
+
+    if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
+      (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
+      (outdata == NULL)) 
+	/* Need a better error */
+	return KRB5_RC_REQUIRED;
+
+    if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
+      (auth_context->rcache == NULL)) 
+	return KRB5_RC_REQUIRED;
+
+    if (retval = krb5_rd_safe_basic(context, inbuf, auth_context->keyblock,
+      auth_context->local_addr, auth_context->remote_addr,
+      auth_context->cksumtype, &replaydata, outbuf))
+	return retval;
+
+    if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
+	krb5_donot_replay replay;
+    	krb5_timestamp currenttime;
+
+	if (retval = krb5_timeofday(context, &currenttime)) 
+	    goto error;
+
+	if (!in_clock_skew(replaydata.timestamp)) {
+	    retval =  KRB5KRB_AP_ERR_SKEW;
+	    goto error;
+	}
+
+	if (retval = krb5_gen_replay_name(context, auth_context->remote_addr, 
+					  "_safe", &replay.client)) 
+	    goto error;
+
+	replay.server = "";		/* XXX */
+	replay.cusec = replaydata.usec;
+	replay.ctime = replaydata.timestamp;
+	if (retval = krb5_rc_store(context, auth_context->rcache, &replay)) {
+	    krb5_xfree(replay.client);
+	    goto error;
+	}
+	krb5_xfree(replay.client);
+    }
+
+    if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
+	if (auth_context->remote_seq_number != replaydata.seq) {
+	    retval =  KRB5KRB_AP_ERR_BADORDER;
+	    goto error;
+	}
+    }
+
+    if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
+      (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
+	outdata->timestamp = replaydata.timestamp;
+	outdata->usec = replaydata.usec;
+	outdata->seq = replaydata.seq;
+    }
+	
+    /* everything is ok - return data to the user */
     return 0;
+
+error:;
+    krb5_xfree(outbuf->data);
+    return retval;
+
 }
+
author	Chris Provenzano <proven@mit.edu>	1995-03-10 17:26:04 +0000
committer	Chris Provenzano <proven@mit.edu>	1995-03-10 17:26:04 +0000
commit	b2f49b74f53d6deafc39fc0069de3e249a383b13 (patch)
tree	339c5c75b96c433c666183d92478c11ccc42d669 /src/lib/krb5/krb/rd_safe.c
parent	84ea6e41500ad94dd417841b307d142d7055e056 (diff)
download	krb5-b2f49b74f53d6deafc39fc0069de3e249a383b13.tar.gz krb5-b2f49b74f53d6deafc39fc0069de3e249a383b13.tar.xz krb5-b2f49b74f53d6deafc39fc0069de3e249a383b13.zip