From 2a548e1f5b1050e362f2b8520d845fc4cd922530 Mon Sep 17 00:00:00 2001 From: Theodore Tso Date: Wed, 10 Jan 1996 03:56:23 +0000 Subject: forward.c (get_for_creds): Removed no longer used function kerberos5.c (kerberos5_forward): Convert from using get_for_creds() from forward.c to using the official library routine, krb5_fwd_tgt_creds(). Misc. lint cleanups. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7285 dc483132-0cff-0310-8789-dd5450dbe970 --- src/appl/telnet/libtelnet/ChangeLog | 9 +++ src/appl/telnet/libtelnet/forward.c | 144 ---------------------------------- src/appl/telnet/libtelnet/kerberos5.c | 67 +++++++++++----- 3 files changed, 55 insertions(+), 165 deletions(-) diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog index 43ee6162e4..032f6de495 100644 --- a/src/appl/telnet/libtelnet/ChangeLog +++ b/src/appl/telnet/libtelnet/ChangeLog @@ -1,3 +1,12 @@ +Tue Jan 9 22:53:58 1996 Theodore Y. Ts'o + + * forward.c (get_for_creds): Removed no longer used function. + + * kerberos5.c (kerberos5_forward): Convert from using + get_for_creds() from forward.c to using the official + library routine, krb5_fwd_tgt_creds(). Misc. lint + cleanups. + Sun Nov 12 04:48:41 1995 Mark W. Eichin * forward.c: set KRB5_DEFAULT_LIFE to 10 hours, not 8. diff --git a/src/appl/telnet/libtelnet/forward.c b/src/appl/telnet/libtelnet/forward.c index c86a28a651..1647b6004f 100644 --- a/src/appl/telnet/libtelnet/forward.c +++ b/src/appl/telnet/libtelnet/forward.c @@ -79,148 +79,4 @@ cleanup: return retval; } - -#define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ -/* helper function: convert flags to necessary KDC options */ -#define flags2options(flags) (flags & KDC_TKT_COMMON_MASK) - -/* Get a TGT for use at the remote host */ -krb5_error_code INTERFACE -get_for_creds(context, auth_context, rhost, client, forwardable, outbuf) - krb5_context context; - krb5_auth_context auth_context; - char *rhost; - krb5_principal client; - int forwardable; /* Should forwarded TGT also be forwardable? */ - krb5_data *outbuf; -{ - krb5_replay_data replaydata; - krb5_data * scratch; - struct hostent *hp; - krb5_address **addrs; - krb5_error_code retval; - krb5_error *err_reply; - krb5_creds creds, tgt; - krb5_creds *pcreds; - krb5_ccache cc; - krb5_flags kdcoptions; - krb5_timestamp now; - char *remote_host = 0; - char **hrealms = 0; - int i; - - memset((char *)&creds, 0, sizeof(creds)); - - if (!rhost || !(hp = gethostbyname(rhost))) - return KRB5_ERR_BAD_HOSTNAME; - - remote_host = (char *) malloc(strlen(hp->h_name)+1); - if (!remote_host) { - retval = ENOMEM; - goto errout; - } - strcpy(remote_host, hp->h_name); - - if (retval = krb5_get_host_realm(context, remote_host, &hrealms)) - goto errout; - if (!hrealms[0]) { - retval = KRB5_ERR_HOST_REALM_UNKNOWN; - goto errout; - } - - /* Count elements */ - for(i=0; hp->h_addr_list[i]; i++); - - addrs = (krb5_address **) malloc ((i+1)*sizeof(*addrs)); - if (!addrs) { - retval = ENOMEM; - goto errout; - } - memset(addrs, 0, (i+1)*sizeof(*addrs)); - - for(i=0; hp->h_addr_list[i]; i++) { - addrs[i] = (krb5_address *) malloc(sizeof(krb5_address)); - if (!addrs[i]) { - retval = ENOMEM; - goto errout; - } - addrs[i]->addrtype = hp->h_addrtype; - addrs[i]->length = hp->h_length; - addrs[i]->contents = (unsigned char *)malloc(addrs[i]->length); - if (!addrs[i]->contents) { - retval = ENOMEM; - goto errout; - } - memcpy ((char *)addrs[i]->contents, hp->h_addr_list[i], - addrs[i]->length); - } - addrs[i] = 0; - - if (retval = krb5_copy_principal(context, client, &creds.client)) - goto errout; - - if (retval = krb5_build_principal_ext(context, &creds.server, - strlen(hrealms[0]), - hrealms[0], - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - client->realm.length, - client->realm.data, - 0)) - goto errout; - - creds.times.starttime = 0; - if (retval = krb5_timeofday(context, &now)) - goto errout; - - creds.times.endtime = now + KRB5_DEFAULT_LIFE; - creds.times.renew_till = 0; - - if (retval = krb5_cc_default(context, &cc)) - goto errout; - - /* fetch tgt directly from cache */ - retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_MATCH_SRV_NAMEONLY, - &creds, &tgt); - krb5_cc_close(context, cc); - if (retval) - goto errout; - - /* tgt->client must be equal to creds.client */ - if (!krb5_principal_compare(context, tgt.client, creds.client)) { - retval = KRB5_PRINC_NOMATCH; - goto errout; - } - - if (!tgt.ticket.length) { - retval = KRB5_NO_TKT_SUPPLIED; - goto errout; - } - - kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED; - - if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */ - kdcoptions &= ~(KDC_OPT_FORWARDABLE); - - if (retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds)) - goto errout; - - retval = krb5_mk_1cred(context, auth_context, pcreds, - &scratch, &replaydata); - krb5_free_creds(context, pcreds); - *outbuf = *scratch; - krb5_xfree(scratch); - -errout: - if (remote_host) - free(remote_host); - if (hrealms) - krb5_xfree(hrealms); - if (addrs) - krb5_free_addresses(context, addrs); - krb5_free_cred_contents(context, &creds); - return retval; -} - #endif /* defined(KRB5) && defined(FORWARD) */ diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c index 6c8969f1f3..c3b70ddb97 100644 --- a/src/appl/telnet/libtelnet/kerberos5.c +++ b/src/appl/telnet/libtelnet/kerberos5.c @@ -187,7 +187,6 @@ kerberos5_send(ap) krb5_ccache ccache; krb5_creds creds; /* telnet gets session key from here */ krb5_creds * new_creds = 0; - extern krb5_flags krb5_kdc_default_options; int ap_opts; #ifdef ENCRYPTION @@ -201,7 +200,7 @@ kerberos5_send(ap) return(0); } - if (r = krb5_cc_default(telnet_context, &ccache)) { + if ((r = krb5_cc_default(telnet_context, &ccache))) { if (auth_debug_mode) { printf("Kerberos V5: could not get default ccache\r\n"); } @@ -209,8 +208,9 @@ kerberos5_send(ap) } memset((char *)&creds, 0, sizeof(creds)); - if (r = krb5_sname_to_principal(telnet_context, RemoteHostName, "host", - KRB5_NT_SRV_HST, &creds.server)) { + if ((r = krb5_sname_to_principal(telnet_context, RemoteHostName, + "host", KRB5_NT_SRV_HST, + &creds.server))) { if (auth_debug_mode) printf("Kerberos V5: error while constructing service name: %s\r\n", error_message(r)); return(0); @@ -229,7 +229,8 @@ kerberos5_send(ap) krb5_princ_set_realm(telnet_context, creds.server, &rdata); } - if (r = krb5_cc_get_principal(telnet_context, ccache, &creds.client)) { + if ((r = krb5_cc_get_principal(telnet_context, ccache, + &creds.client))) { if (auth_debug_mode) { printf("Kerberos V5: failure on principal (%s)\r\n", error_message(r)); @@ -238,8 +239,8 @@ kerberos5_send(ap) return(0); } - if (r = krb5_get_credentials(telnet_context, 0, - ccache, &creds, &new_creds)) { + if ((r = krb5_get_credentials(telnet_context, 0, + ccache, &creds, &new_creds))) { if (auth_debug_mode) { printf("Kerberos V5: failure on credentials(%s)\r\n", error_message(r)); @@ -257,7 +258,7 @@ kerberos5_send(ap) ap_opts |= AP_OPTS_USE_SUBKEY; #endif /* ENCRYPTION */ - if (r = krb5_auth_con_init(telnet_context, &auth_context)) { + if ((r = krb5_auth_con_init(telnet_context, &auth_context))) { if (auth_debug_mode) { printf("Kerberos V5: failed to init auth_context (%s)\r\n", error_message(r)); @@ -380,7 +381,8 @@ kerberos5_is(ap, data, cnt) } if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { /* do ap_rep stuff here */ - if (r = krb5_mk_rep(telnet_context, auth_context, &outbuf)) + if ((r = krb5_mk_rep(telnet_context, auth_context, + &outbuf))) goto errout; Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length); @@ -506,8 +508,8 @@ kerberos5_reply(ap, data, cnt) inbuf.length = cnt; inbuf.data = (char *)data; - if (r = krb5_rd_rep(telnet_context, auth_context, &inbuf, - &reply)) { + if ((r = krb5_rd_rep(telnet_context, auth_context, &inbuf, + &reply))) { printf("[ Mutual authentication failed: %s ]\r\n", error_message(r)); auth_send_retry(); @@ -638,37 +640,51 @@ kerberos5_forward(ap) { krb5_error_code r; krb5_ccache ccache; - krb5_principal client; + krb5_principal client = 0; + krb5_principal server = 0; krb5_data forw_creds; - if (r = krb5_cc_default(telnet_context, &ccache)) { + forw_creds.data = 0; + + if ((r = krb5_cc_default(telnet_context, &ccache))) { if (auth_debug_mode) printf("Kerberos V5: could not get default ccache - %s\r\n", error_message(r)); return; } - if (r = krb5_cc_get_principal(telnet_context, ccache, &client)) { + if ((r = krb5_cc_get_principal(telnet_context, ccache, &client))) { if (auth_debug_mode) printf("Kerberos V5: could not get default principal - %s\r\n", error_message(r)); - return; + goto cleanup; + } + + if ((r = krb5_sname_to_principal(telnet_context, RemoteHostName, "host", + KRB5_NT_SRV_HST, &server))) { + if (auth_debug_mode) + printf("Kerberos V5: could not make server principal - %s\r\n", + error_message(r)); + goto cleanup; } + - if (r = krb5_auth_con_genaddrs(telnet_context, auth_context, net, - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR)) { + if ((r = krb5_auth_con_genaddrs(telnet_context, auth_context, net, + KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR))) { if (auth_debug_mode) printf("Kerberos V5: could not gen local full address - %s\r\n", error_message(r)); - return; + goto cleanup; } - if (r = get_for_creds(telnet_context, auth_context, RemoteHostName, client, - forward_flags & OPTS_FORWARDABLE_CREDS, &forw_creds)){ + if ((r = krb5_fwd_tgt_creds(telnet_context, auth_context, 0, client, + server, ccache, + forward_flags & OPTS_FORWARDABLE_CREDS, + &forw_creds))) { if (auth_debug_mode) printf("Kerberos V5: error getting forwarded creds - %s\r\n", error_message(r)); - return; + goto cleanup; } /* Send forwarded credentials */ @@ -679,6 +695,15 @@ kerberos5_forward(ap) if (auth_debug_mode) printf("Forwarded local Kerberos V5 credentials to server\r\n"); } + +cleanup: + if (client) + krb5_free_principal(telnet_context, client); + if (server) + krb5_free_principal(telnet_context, server); + if (forw_creds.data) + free(forw_creds.data); + krb5_cc_close(telnet_context, ccache); } #endif /* FORWARD */ -- cgit