root/source4/heimdal/lib/krb5/convert_creds.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. check_ticket_flags
  2. krb524_convert_creds_kdc
  3. krb524_convert_creds_kdc_ccache

   1 /*
   2  * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33 
  34 #include "krb5_locl.h"
  35 RCSID("$Id$");
  36 
  37 #include "krb5-v4compat.h"
  38 
  39 static krb5_error_code
  40 check_ticket_flags(TicketFlags f)
     /* [<][>][^][v][top][bottom][index][help] */
  41 {
  42     return 0; /* maybe add some more tests here? */
  43 }
  44 
  45 /**
  46  * Convert the v5 credentials in in_cred to v4-dito in v4creds.  This
  47  * is done by sending them to the 524 function in the KDC.  If
  48  * `in_cred' doesn't contain a DES session key, then a new one is
  49  * gotten from the KDC and stored in the cred cache `ccache'.
  50  *
  51  * @param context Kerberos 5 context.
  52  * @param in_cred the credential to convert
  53  * @param v4creds the converted credential
  54  *
  55  * @return Returns 0 to indicate success. Otherwise an kerberos et
  56  * error code is returned, see krb5_get_error_message().
  57  *
  58  * @ingroup krb5_v4compat
  59  */
  60 
  61 krb5_error_code KRB5_LIB_FUNCTION
  62 krb524_convert_creds_kdc(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  63                          krb5_creds *in_cred,
  64                          struct credentials *v4creds)
  65 {
  66     krb5_error_code ret;
  67     krb5_data reply;
  68     krb5_storage *sp;
  69     int32_t tmp;
  70     krb5_data ticket;
  71     char realm[REALM_SZ];
  72     krb5_creds *v5_creds = in_cred;
  73 
  74     ret = check_ticket_flags(v5_creds->flags.b);
  75     if(ret)
  76         goto out2;
  77 
  78     {
  79         krb5_krbhst_handle handle;
  80 
  81         ret = krb5_krbhst_init(context,
  82                                krb5_principal_get_realm(context,
  83                                                         v5_creds->server),
  84                                KRB5_KRBHST_KRB524,
  85                                &handle);
  86         if (ret)
  87             goto out2;
  88 
  89         ret = krb5_sendto (context,
  90                            &v5_creds->ticket,
  91                            handle,
  92                            &reply);
  93         krb5_krbhst_free(context, handle);
  94         if (ret)
  95             goto out2;
  96     }
  97     sp = krb5_storage_from_mem(reply.data, reply.length);
  98     if(sp == NULL) {
  99         ret = ENOMEM;
 100         krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
 101         goto out2;
 102     }
 103     krb5_ret_int32(sp, &tmp);
 104     ret = tmp;
 105     if(ret == 0) {
 106         memset(v4creds, 0, sizeof(*v4creds));
 107         ret = krb5_ret_int32(sp, &tmp);
 108         if(ret)
 109             goto out;
 110         v4creds->kvno = tmp;
 111         ret = krb5_ret_data(sp, &ticket);
 112         if(ret)
 113             goto out;
 114         v4creds->ticket_st.length = ticket.length;
 115         memcpy(v4creds->ticket_st.dat, ticket.data, ticket.length);
 116         krb5_data_free(&ticket);
 117         ret = krb5_524_conv_principal(context,
 118                                       v5_creds->server,
 119                                       v4creds->service,
 120                                       v4creds->instance,
 121                                       v4creds->realm);
 122         if(ret)
 123             goto out;
 124         v4creds->issue_date = v5_creds->times.starttime;
 125         v4creds->lifetime = _krb5_krb_time_to_life(v4creds->issue_date,
 126                                                    v5_creds->times.endtime);
 127         ret = krb5_524_conv_principal(context, v5_creds->client,
 128                                       v4creds->pname,
 129                                       v4creds->pinst,
 130                                       realm);
 131         if(ret)
 132             goto out;
 133         memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8);
 134     } else {
 135         krb5_set_error_message (context, ret,
 136                                 N_("converting credentials: %s",
 137                                   "already localized"),
 138                                 krb5_get_err_text(context, ret));
 139     }
 140 out:
 141     krb5_storage_free(sp);
 142     krb5_data_free(&reply);
 143 out2:
 144     if (v5_creds != in_cred)
 145         krb5_free_creds (context, v5_creds);
 146     return ret;
 147 }
 148 
 149 /**
 150  * Convert the v5 credentials in in_cred to v4-dito in v4creds,
 151  * check the credential cache ccache before checking with the KDC.
 152  *
 153  * @param context Kerberos 5 context.
 154  * @param ccache credential cache used to check for des-ticket.
 155  * @param in_cred the credential to convert
 156  * @param v4creds the converted credential
 157  *
 158  * @return Returns 0 to indicate success. Otherwise an kerberos et
 159  * error code is returned, see krb5_get_error_message().
 160  *
 161  * @ingroup krb5_v4compat
 162  */
 163 
 164 krb5_error_code KRB5_LIB_FUNCTION
 165 krb524_convert_creds_kdc_ccache(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
 166                                 krb5_ccache ccache,
 167                                 krb5_creds *in_cred,
 168                                 struct credentials *v4creds)
 169 {
 170     krb5_error_code ret;
 171     krb5_creds *v5_creds = in_cred;
 172     krb5_keytype keytype;
 173 
 174     keytype = v5_creds->session.keytype;
 175 
 176     if (keytype != ENCTYPE_DES_CBC_CRC) {
 177         /* MIT krb524d doesn't like nothing but des-cbc-crc tickets,
 178            so go get one */
 179         krb5_creds template;
 180 
 181         memset (&template, 0, sizeof(template));
 182         template.session.keytype = ENCTYPE_DES_CBC_CRC;
 183         ret = krb5_copy_principal (context, in_cred->client, &template.client);
 184         if (ret) {
 185             krb5_free_cred_contents (context, &template);
 186             return ret;
 187         }
 188         ret = krb5_copy_principal (context, in_cred->server, &template.server);
 189         if (ret) {
 190             krb5_free_cred_contents (context, &template);
 191             return ret;
 192         }
 193 
 194         ret = krb5_get_credentials (context, 0, ccache,
 195                                     &template, &v5_creds);
 196         krb5_free_cred_contents (context, &template);
 197         if (ret)
 198             return ret;
 199     }
 200 
 201     ret = krb524_convert_creds_kdc(context, v5_creds, v4creds);
 202 
 203     if (v5_creds != in_cred)
 204         krb5_free_creds (context, v5_creds);
 205     return ret;
 206 }

/* [<][>][^][v][top][bottom][index][help] */