static krb5_error_code
krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata,
krb5_key pkey, krb5_replay_data *replaydata,
krb5_creds ***pppcreds)
{
krb5_error_code retval = 0;
krb5_cred * pcred = NULL;
krb5_int32 ncreds = 0;
krb5_int32 i = 0;
krb5_cred_enc_part encpart;
/* decode cred message */
if ((retval = decode_krb5_cred(pcreddata, &pcred)))
return retval;
memset(&encpart, 0, sizeof(encpart));
if ((retval = decrypt_credencdata(context, pcred, pkey, &encpart)))
goto cleanup_cred;
replaydata->timestamp = encpart.timestamp;
replaydata->usec = encpart.usec;
replaydata->seq = encpart.nonce;
/*
* Allocate the list of creds. The memory is allocated so that
* krb5_free_tgt_creds can be used to free the list.
*/
for (ncreds = 0; pcred->tickets[ncreds]; ncreds++);
if ((*pppcreds =
(krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) *
(ncreds + 1)))) == NULL) {
retval = ENOMEM;
goto cleanup_cred;
}
(*pppcreds)[0] = NULL;
/*
* For each credential, create a strcture in the list of
* credentials and copy the information.
*/
while (i < ncreds) {
krb5_cred_info * pinfo;
krb5_creds * pcur;
krb5_data * pdata;
if ((pcur = (krb5_creds *)calloc(1, sizeof(krb5_creds))) == NULL) {
retval = ENOMEM;
goto cleanup;
}
(*pppcreds)[i] = pcur;
(*pppcreds)[i+1] = 0;
pinfo = encpart.ticket_info[i++];
if ((retval = krb5_copy_principal(context, pinfo->client,
&pcur->client)))
goto cleanup;
if ((retval = krb5_copy_principal(context, pinfo->server,
&pcur->server)))
goto cleanup;
if ((retval = krb5_copy_keyblock_contents(context, pinfo->session,
&pcur->keyblock)))
goto cleanup;
if ((retval = krb5_copy_addresses(context, pinfo->caddrs,
&pcur->addresses)))
goto cleanup;
if ((retval = encode_krb5_ticket(pcred->tickets[i - 1], &pdata)))
goto cleanup;
pcur->ticket = *pdata;
free(pdata);
pcur->is_skey = FALSE;
pcur->magic = KV5M_CREDS;
pcur->times = pinfo->times;
pcur->ticket_flags = pinfo->flags;
pcur->authdata = NULL; /* not used */
memset(&pcur->second_ticket, 0, sizeof(pcur->second_ticket));
}
/*
* NULL terminate the list
*/
(*pppcreds)[i] = NULL;
cleanup:
if (retval) {
krb5_free_tgt_creds(context, *pppcreds);
*pppcreds = NULL;
}
cleanup_cred:
krb5_free_cred(context, pcred);
krb5_free_cred_enc_part(context, &encpart);
return retval;
}
/* Validate a KRB-CRED message in creddata, and return a list of forwarded
* credentials along with replay cache information. */
krb5_error_code KRB5_CALLCONV
krb5_rd_cred(krb5_context context, krb5_auth_context authcon,
krb5_data *creddata, krb5_creds ***creds_out,
krb5_replay_data *replaydata_out)
{
krb5_error_code ret = 0;
krb5_creds **credlist = NULL;
krb5_cred *krbcred = NULL;
krb5_cred_enc_part *encpart = NULL;
krb5_replay_data rdata;
const krb5_int32 flags = authcon->auth_context_flags;
*creds_out = NULL;
if (((flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
replaydata_out == NULL)
return KRB5_RC_REQUIRED;
ret = decode_krb5_cred(creddata, &krbcred);
if (ret)
goto cleanup;
ret = decrypt_encpart(context, &krbcred->enc_part, authcon, &encpart);
if (ret)
goto cleanup;
ret = make_cred_list(context, krbcred, encpart, &credlist);
if (ret)
goto cleanup;
if (authcon->recv_subkey != NULL || authcon->key != NULL) {
rdata.timestamp = encpart->timestamp;
ret = k5_privsafe_check_replay(context, authcon, &rdata,
&krbcred->enc_part, NULL);
if (ret)
goto cleanup;
}
if (flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
if (authcon->remote_seq_number != (uint32_t)encpart->nonce) {
ret = KRB5KRB_AP_ERR_BADORDER;
goto cleanup;
}
authcon->remote_seq_number++;
}
*creds_out = credlist;
credlist = NULL;
if ((flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
replaydata_out->timestamp = encpart->timestamp;
replaydata_out->usec = encpart->usec;
replaydata_out->seq = encpart->nonce;
}
cleanup:
krb5_free_tgt_creds(context, credlist);
krb5_free_cred(context, krbcred);
krb5_free_cred_enc_part(context, encpart);
free(encpart); /* krb5_free_cred_enc_part doesn't do this */
return ret;
}
