static krb5_error_code
decrypt_tkt_enc_part(krb5_context context,
krb5_keyblock *key,
EncryptedData *enc_part,
EncTicketPart *decr_part)
{
krb5_error_code ret;
krb5_data plain;
size_t len;
krb5_crypto crypto;
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret)
return ret;
ret = krb5_decrypt_EncryptedData(context,
crypto,
KRB5_KU_TICKET,
enc_part,
&plain);
krb5_crypto_destroy(context, crypto);
if (ret)
return ret;
ret = decode_EncTicketPart(plain.data, plain.length, decr_part, &len);
if (ret)
krb5_set_error_message(context, ret,
N_("Failed to decode encrypted "
"ticket part", ""));
krb5_data_free(&plain);
return ret;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_decode_EncTicketPart (krb5_context context,
const void *data,
size_t length,
EncTicketPart *t,
size_t *len)
{
return decode_EncTicketPart(data, length, t, len);
}
static void
print_and_decode_tkt (krb5_context context,
krb5_data *ticket,
krb5_principal server,
krb5_enctype enctype)
{
krb5_error_code ret;
krb5_crypto crypto;
krb5_data dec_data;
size_t len;
EncTicketPart decr_part;
krb5_keyblock key;
Ticket tkt;
ret = decode_Ticket (ticket->data, ticket->length, &tkt, &len);
if (ret)
krb5_err (context, 1, ret, "decode_Ticket");
ret = krb5_string_to_key (context, enctype, "foo", server, &key);
if (ret)
krb5_err (context, 1, ret, "krb5_string_to_key");
ret = krb5_crypto_init(context, &key, 0, &crypto);
if (ret)
krb5_err (context, 1, ret, "krb5_crypto_init");
ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET,
&tkt.enc_part, &dec_data);
krb5_crypto_destroy (context, crypto);
if (ret)
krb5_err (context, 1, ret, "krb5_decrypt_EncryptedData");
ret = decode_EncTicketPart (dec_data.data, dec_data.length,
&decr_part, &len);
krb5_data_free (&dec_data);
if (ret)
krb5_err (context, 1, ret, "krb5_decode_EncTicketPart");
free_EncTicketPart(&decr_part);
}
static void do_v5_kvno (int count, char *names[],
char * ccache_name, char *etype_str, char *keytab_name,
char *sname)
{
krb5_error_code ret;
krb5_context context = 0;
int i, errors;
krb5_enctype etype;
krb5_ccache ccache;
krb5_principal me;
krb5_creds in_creds, *out_creds = NULL;
Ticket ticket;
size_t len;
char *princ = NULL;
krb5_keytab keytab = NULL;
ret = krb5_init_context(&context);
if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if (etype_str) {
ret = krb5_string_to_enctype(context, etype_str, &etype);
if (ret)
krb5_err(context, 1, ret, "Failed to convert encryption type %s", etype_str);
} else {
etype = 0;
}
if (ccache_name)
ret = krb5_cc_resolve(context, ccache_name, &ccache);
else
ret = krb5_cc_default(context, &ccache);
if (ret)
krb5_err(context, 1, ret, "Failed to open credentials cache %s",
(ccache_name) ? ccache_name : "(Default)");
if (keytab_name) {
ret = krb5_kt_resolve(context, keytab_name, &keytab);
if (ret)
krb5_err(context, 1, ret, "Can't resolve keytab %s", keytab_name);
}
ret = krb5_cc_get_principal(context, ccache, &me);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
errors = 0;
for (i = 0; i < count; i++) {
memset(&in_creds, 0, sizeof(in_creds));
memset(&ticket, 0, sizeof(ticket));
in_creds.client = me;
if (sname != NULL) {
ret = krb5_sname_to_principal(context, names[i],
sname, KRB5_NT_SRV_HST,
&in_creds.server);
} else {
ret = krb5_parse_name(context, names[i], &in_creds.server);
}
if (ret) {
if (!quiet_flag)
krb5_warn(context, ret, "Couldn't parse principal name %s", names[i]);
errors++;
continue;
}
ret = krb5_unparse_name(context, in_creds.server, &princ);
if (ret) {
krb5_warn(context, ret, "Couldn't format parsed principal name for '%s'",
names[i]);
errors++;
goto next;
}
in_creds.session.keytype = etype;
ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds);
if (ret) {
krb5_warn(context, ret, "Couldn't get credentials for %s", princ);
errors++;
goto next;
}
ret = decode_Ticket(out_creds->ticket.data, out_creds->ticket.length,
&ticket, &len);
if (ret) {
krb5_err(context, 1, ret, "Can't decode ticket for %s", princ);
errors++;
goto next;
continue;
}
if (keytab) {
krb5_keytab_entry kte;
krb5_crypto crypto;
krb5_data dec_data;
EncTicketPart decr_part;
ret = krb5_kt_get_entry(context, keytab, in_creds.server,
(ticket.enc_part.kvno != NULL)?
*ticket.enc_part.kvno : 0,
ticket.enc_part.etype,
&kte);
if (ret) {
krb5_warn(context, ret, "Can't decrypt ticket for %s", princ);
if (!quiet_flag)
printf("%s: kvno = %d, keytab entry invalid", princ,
(ticket.enc_part.kvno != NULL)?
*ticket.enc_part.kvno : 0);
errors ++;
goto next;
}
ret = krb5_crypto_init(context, &kte.keyblock, 0, &crypto);
if (ret) {
krb5_warn(context, ret, "krb5_crypto_init");
errors ++;
krb5_kt_free_entry(context, &kte);
goto next;
}
ret = krb5_decrypt_EncryptedData (context, crypto, KRB5_KU_TICKET,
&ticket.enc_part, &dec_data);
krb5_crypto_destroy(context, crypto);
krb5_kt_free_entry(context, &kte);
if (ret) {
krb5_warn(context, ret, "krb5_decrypt_EncryptedData");
errors ++;
goto next;
}
ret = decode_EncTicketPart(dec_data.data, dec_data.length,
&decr_part, &len);
krb5_data_free(&dec_data);
if (ret) {
krb5_warn(context, ret, "decode_EncTicketPart");
errors ++;
goto next;
}
if (!quiet_flag)
printf("%s: kvno = %d, keytab entry valid\n", princ,
(ticket.enc_part.kvno != NULL)?
*ticket.enc_part.kvno : 0);
free_EncTicketPart(&decr_part);
} else {
if (!quiet_flag)
printf("%s: kvno = %d\n", princ,
(ticket.enc_part.kvno != NULL)? *ticket.enc_part.kvno : 0);
}
next:
if (out_creds) {
krb5_free_creds(context, out_creds);
out_creds = NULL;
}
if (princ) {
krb5_free_unparsed_name(context, princ);
princ = NULL;
}
krb5_free_principal(context, in_creds.server);
free_Ticket(&ticket);
}
if (keytab)
krb5_kt_close(context, keytab);
krb5_free_principal(context, me);
krb5_cc_close(context, ccache);
krb5_free_context(context);
if (errors)
exit(1);
exit(0);
}
DWORD
VmKdcDecodeEncTicketPart(
PVMKDC_DATA pData,
PVMKDC_ENCTICKETPART *ppRetEncTicketPart)
{
DWORD dwError = 0;
PVMKDC_ENCTICKETPART pEncTicketPart = NULL;
EncTicketPart heimPart;
unsigned char *partBufPtr = NULL;
size_t heimPartLen = 0;
size_t partBufLen = 0;
PVMKDC_KEY pKey = NULL;
PVMKDC_PRINCIPAL pClient = NULL;
memset(&heimPart, 0, sizeof(heimPart));
partBufPtr = VMKDC_GET_PTR_DATA(pData);
partBufLen = VMKDC_GET_LEN_DATA(pData);
/*
* Decode the EncTicketPart into a Heimdal EncTicketPart structure.
*/
decode_EncTicketPart(partBufPtr, partBufLen, &heimPart, &heimPartLen);
if (heimPartLen <= 0)
{
dwError = ERROR_PROTOCOL;
BAIL_ON_VMKDC_ERROR(dwError);
}
/* flags */
/* key */
dwError = VmKdcMakeKey(heimPart.key.keytype,
0,
heimPart.key.keyvalue.data,
(int) heimPart.key.keyvalue.length,
&pKey);
BAIL_ON_VMKDC_ERROR(dwError);
/* crealm, cname */
dwError = VmKdcMakePrincipal(heimPart.crealm,
heimPart.cname.name_string.len,
(PCSTR *)heimPart.cname.name_string.val,
&pClient);
BAIL_ON_VMKDC_ERROR(dwError);
/* transited */
/* authtime */
/* starttime */
/* endtime */
/* renew_till */
/* caddr */
/* authorization_data */
/*
* Translate the decoded EncTicketPart to a VMKDC_ENCTICKETPART structure.
*/
dwError = VmKdcMakeEncTicketPart(0, /* flags */
pKey, /* key */
pClient, /* crealm, cname */
NULL, /* transited */
heimPart.authtime, /* authtime */
heimPart.starttime, /* starttime */
heimPart.endtime, /* endtime */
heimPart.renew_till, /* renew_till */
NULL, /* caddr */
NULL, /* authorization_data */
&pEncTicketPart);
BAIL_ON_VMKDC_ERROR(dwError);
*ppRetEncTicketPart = pEncTicketPart;
error:
if (dwError)
{
VMKDC_SAFE_FREE_ENCTICKETPART(pEncTicketPart);
}
free_EncTicketPart(&heimPart);
VMKDC_SAFE_FREE_PRINCIPAL(pClient);
VMKDC_SAFE_FREE_KEY(pKey);
return dwError;
}
