summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5/krb/fwd_tgt.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/krb5/krb/fwd_tgt.c')
-rw-r--r--src/lib/krb5/krb/fwd_tgt.c191
1 files changed, 96 insertions, 95 deletions
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index 08646da6e5..5725e4931a 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -1,3 +1,4 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/krb5/krb/get_in_tkt.c
*
@@ -8,7 +9,7 @@
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
@@ -35,14 +36,14 @@
/* Get a TGT for use at the remote host */
krb5_error_code KRB5_CALLCONV
krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data *outbuf)
-
-
-
-
-
-
- /* Should forwarded TGT also be forwardable? */
-
+
+
+
+
+
+
+/* Should forwarded TGT also be forwardable? */
+
{
krb5_replay_data replaydata;
krb5_data * scratch = 0;
@@ -61,136 +62,136 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r
memset(&tgt, 0, sizeof(creds));
if (cc == 0) {
- if ((retval = krb5int_cc_default(context, &cc)))
- goto errout;
- close_cc = 1;
+ if ((retval = krb5int_cc_default(context, &cc)))
+ goto errout;
+ close_cc = 1;
}
retval = krb5_auth_con_getkey (context, auth_context, &session_key);
if (retval)
- goto errout;
+ goto errout;
if (session_key) {
- enctype = session_key->enctype;
- krb5_free_keyblock (context, session_key);
- session_key = NULL;
+ enctype = session_key->enctype;
+ krb5_free_keyblock (context, session_key);
+ session_key = NULL;
} else if (server) { /* must server be non-NULL when rhost is given? */
- /* Try getting credentials to see what the remote side supports.
- Not bulletproof, just a heuristic. */
- krb5_creds in, *out = 0;
- memset (&in, 0, sizeof(in));
-
- retval = krb5_copy_principal (context, server, &in.server);
- if (retval)
- goto punt;
- retval = krb5_copy_principal (context, client, &in.client);
- if (retval)
- goto punt;
- retval = krb5_get_credentials (context, 0, cc, &in, &out);
- if (retval)
- goto punt;
- /* Got the credentials. Okay, now record the enctype and
- throw them away. */
- enctype = out->keyblock.enctype;
- krb5_free_creds (context, out);
+ /* Try getting credentials to see what the remote side supports.
+ Not bulletproof, just a heuristic. */
+ krb5_creds in, *out = 0;
+ memset (&in, 0, sizeof(in));
+
+ retval = krb5_copy_principal (context, server, &in.server);
+ if (retval)
+ goto punt;
+ retval = krb5_copy_principal (context, client, &in.client);
+ if (retval)
+ goto punt;
+ retval = krb5_get_credentials (context, 0, cc, &in, &out);
+ if (retval)
+ goto punt;
+ /* Got the credentials. Okay, now record the enctype and
+ throw them away. */
+ enctype = out->keyblock.enctype;
+ krb5_free_creds (context, out);
punt:
- krb5_free_cred_contents (context, &in);
+ krb5_free_cred_contents (context, &in);
}
if ((retval = krb5_copy_principal(context, client, &creds.client)))
- goto errout;
-
+ goto errout;
+
if ((retval = krb5_build_principal_ext(context, &creds.server,
- client->realm.length,
- client->realm.data,
- KRB5_TGS_NAME_SIZE,
- KRB5_TGS_NAME,
- client->realm.length,
- client->realm.data,
- 0)))
- goto errout;
-
+ client->realm.length,
+ client->realm.data,
+ KRB5_TGS_NAME_SIZE,
+ KRB5_TGS_NAME,
+ client->realm.length,
+ client->realm.data,
+ 0)))
+ goto errout;
+
/* fetch tgt directly from cache */
context->use_conf_ktypes = 1;
retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES,
- &creds, &tgt);
+ &creds, &tgt);
context->use_conf_ktypes = old_use_conf_ktypes;
if (retval)
- goto errout;
+ goto errout;
/* tgt->client must be equal to creds.client */
if (!krb5_principal_compare(context, tgt.client, creds.client)) {
- retval = KRB5_PRINC_NOMATCH;
- goto errout;
+ retval = KRB5_PRINC_NOMATCH;
+ goto errout;
}
if (!tgt.ticket.length) {
- retval = KRB5_NO_TKT_SUPPLIED;
- goto errout;
+ retval = KRB5_NO_TKT_SUPPLIED;
+ goto errout;
}
-
+
if (tgt.addresses && *tgt.addresses) {
- if (rhost == NULL) {
- if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) {
-retval = KRB5_FWD_BAD_PRINCIPAL;
- goto errout;
- }
-
- if (krb5_princ_size(context, server) < 2){
- retval = KRB5_CC_BADNAME;
- goto errout;
- }
-
- rhost = malloc(server->data[1].length+1);
- if (!rhost) {
- retval = ENOMEM;
- goto errout;
- }
- free_rhost = 1;
- memcpy(rhost, server->data[1].data, server->data[1].length);
- rhost[server->data[1].length] = '\0';
- }
-
- retval = krb5_os_hostaddr(context, rhost, &addrs);
- if (retval)
- goto errout;
+ if (rhost == NULL) {
+ if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) {
+ retval = KRB5_FWD_BAD_PRINCIPAL;
+ goto errout;
+ }
+
+ if (krb5_princ_size(context, server) < 2){
+ retval = KRB5_CC_BADNAME;
+ goto errout;
+ }
+
+ rhost = malloc(server->data[1].length+1);
+ if (!rhost) {
+ retval = ENOMEM;
+ goto errout;
+ }
+ free_rhost = 1;
+ memcpy(rhost, server->data[1].data, server->data[1].length);
+ rhost[server->data[1].length] = '\0';
+ }
+
+ retval = krb5_os_hostaddr(context, rhost, &addrs);
+ if (retval)
+ goto errout;
}
-
+
creds.keyblock.enctype = enctype;
creds.times = tgt.times;
creds.times.starttime = 0;
kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED;
if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */
- kdcoptions &= ~(KDC_OPT_FORWARDABLE);
+ kdcoptions &= ~(KDC_OPT_FORWARDABLE);
if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
- addrs, &creds, &pcreds))) {
- if (enctype) {
- creds.keyblock.enctype = 0;
- if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
- addrs, &creds, &pcreds)))
- goto errout;
- }
- else goto errout;
+ addrs, &creds, &pcreds))) {
+ if (enctype) {
+ creds.keyblock.enctype = 0;
+ if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions,
+ addrs, &creds, &pcreds)))
+ goto errout;
+ }
+ else goto errout;
}
retval = krb5_mk_1cred(context, auth_context, pcreds,
&scratch, &replaydata);
krb5_free_creds(context, pcreds);
if (retval) {
- if (scratch)
- krb5_free_data(context, scratch);
+ if (scratch)
+ krb5_free_data(context, scratch);
} else {
- *outbuf = *scratch;
- free(scratch);
+ *outbuf = *scratch;
+ free(scratch);
}
-
+
errout:
if (addrs)
- krb5_free_addresses(context, addrs);
+ krb5_free_addresses(context, addrs);
if (close_cc)
- krb5_cc_close(context, cc);
+ krb5_cc_close(context, cc);
if (free_rhost)
- free(rhost);
+ free(rhost);
krb5_free_cred_contents(context, &creds);
krb5_free_cred_contents(context, &tgt);
return retval;
generated by cgit (git 2.34.1) at 2024-10-02 13:39:02 +0000