diff options
Diffstat (limited to 'src/lib/krb5/krb/fwd_tgt.c')
-rw-r--r-- | src/lib/krb5/krb/fwd_tgt.c | 191 |
1 files changed, 96 insertions, 95 deletions
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c index 08646da6e5..5725e4931a 100644 --- a/src/lib/krb5/krb/fwd_tgt.c +++ b/src/lib/krb5/krb/fwd_tgt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_in_tkt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -35,14 +36,14 @@ /* Get a TGT for use at the remote host */ krb5_error_code KRB5_CALLCONV krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data *outbuf) - - - - - - - /* Should forwarded TGT also be forwardable? */ - + + + + + + +/* Should forwarded TGT also be forwardable? */ + { krb5_replay_data replaydata; krb5_data * scratch = 0; @@ -61,136 +62,136 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r memset(&tgt, 0, sizeof(creds)); if (cc == 0) { - if ((retval = krb5int_cc_default(context, &cc))) - goto errout; - close_cc = 1; + if ((retval = krb5int_cc_default(context, &cc))) + goto errout; + close_cc = 1; } retval = krb5_auth_con_getkey (context, auth_context, &session_key); if (retval) - goto errout; + goto errout; if (session_key) { - enctype = session_key->enctype; - krb5_free_keyblock (context, session_key); - session_key = NULL; + enctype = session_key->enctype; + krb5_free_keyblock (context, session_key); + session_key = NULL; } else if (server) { /* must server be non-NULL when rhost is given? */ - /* Try getting credentials to see what the remote side supports. - Not bulletproof, just a heuristic. */ - krb5_creds in, *out = 0; - memset (&in, 0, sizeof(in)); - - retval = krb5_copy_principal (context, server, &in.server); - if (retval) - goto punt; - retval = krb5_copy_principal (context, client, &in.client); - if (retval) - goto punt; - retval = krb5_get_credentials (context, 0, cc, &in, &out); - if (retval) - goto punt; - /* Got the credentials. Okay, now record the enctype and - throw them away. */ - enctype = out->keyblock.enctype; - krb5_free_creds (context, out); + /* Try getting credentials to see what the remote side supports. + Not bulletproof, just a heuristic. */ + krb5_creds in, *out = 0; + memset (&in, 0, sizeof(in)); + + retval = krb5_copy_principal (context, server, &in.server); + if (retval) + goto punt; + retval = krb5_copy_principal (context, client, &in.client); + if (retval) + goto punt; + retval = krb5_get_credentials (context, 0, cc, &in, &out); + if (retval) + goto punt; + /* Got the credentials. Okay, now record the enctype and + throw them away. */ + enctype = out->keyblock.enctype; + krb5_free_creds (context, out); punt: - krb5_free_cred_contents (context, &in); + krb5_free_cred_contents (context, &in); } if ((retval = krb5_copy_principal(context, client, &creds.client))) - goto errout; - + goto errout; + if ((retval = krb5_build_principal_ext(context, &creds.server, - client->realm.length, - client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - client->realm.length, - client->realm.data, - 0))) - goto errout; - + client->realm.length, + client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + client->realm.length, + client->realm.data, + 0))) + goto errout; + /* fetch tgt directly from cache */ context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES, - &creds, &tgt); + &creds, &tgt); context->use_conf_ktypes = old_use_conf_ktypes; if (retval) - goto errout; + goto errout; /* tgt->client must be equal to creds.client */ if (!krb5_principal_compare(context, tgt.client, creds.client)) { - retval = KRB5_PRINC_NOMATCH; - goto errout; + retval = KRB5_PRINC_NOMATCH; + goto errout; } if (!tgt.ticket.length) { - retval = KRB5_NO_TKT_SUPPLIED; - goto errout; + retval = KRB5_NO_TKT_SUPPLIED; + goto errout; } - + if (tgt.addresses && *tgt.addresses) { - if (rhost == NULL) { - if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) { -retval = KRB5_FWD_BAD_PRINCIPAL; - goto errout; - } - - if (krb5_princ_size(context, server) < 2){ - retval = KRB5_CC_BADNAME; - goto errout; - } - - rhost = malloc(server->data[1].length+1); - if (!rhost) { - retval = ENOMEM; - goto errout; - } - free_rhost = 1; - memcpy(rhost, server->data[1].data, server->data[1].length); - rhost[server->data[1].length] = '\0'; - } - - retval = krb5_os_hostaddr(context, rhost, &addrs); - if (retval) - goto errout; + if (rhost == NULL) { + if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) { + retval = KRB5_FWD_BAD_PRINCIPAL; + goto errout; + } + + if (krb5_princ_size(context, server) < 2){ + retval = KRB5_CC_BADNAME; + goto errout; + } + + rhost = malloc(server->data[1].length+1); + if (!rhost) { + retval = ENOMEM; + goto errout; + } + free_rhost = 1; + memcpy(rhost, server->data[1].data, server->data[1].length); + rhost[server->data[1].length] = '\0'; + } + + retval = krb5_os_hostaddr(context, rhost, &addrs); + if (retval) + goto errout; } - + creds.keyblock.enctype = enctype; creds.times = tgt.times; creds.times.starttime = 0; kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED; if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */ - kdcoptions &= ~(KDC_OPT_FORWARDABLE); + kdcoptions &= ~(KDC_OPT_FORWARDABLE); if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) { - if (enctype) { - creds.keyblock.enctype = 0; - if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) - goto errout; - } - else goto errout; + addrs, &creds, &pcreds))) { + if (enctype) { + creds.keyblock.enctype = 0; + if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, + addrs, &creds, &pcreds))) + goto errout; + } + else goto errout; } retval = krb5_mk_1cred(context, auth_context, pcreds, &scratch, &replaydata); krb5_free_creds(context, pcreds); if (retval) { - if (scratch) - krb5_free_data(context, scratch); + if (scratch) + krb5_free_data(context, scratch); } else { - *outbuf = *scratch; - free(scratch); + *outbuf = *scratch; + free(scratch); } - + errout: if (addrs) - krb5_free_addresses(context, addrs); + krb5_free_addresses(context, addrs); if (close_cc) - krb5_cc_close(context, cc); + krb5_cc_close(context, cc); if (free_rhost) - free(rhost); + free(rhost); krb5_free_cred_contents(context, &creds); krb5_free_cred_contents(context, &tgt); return retval; |