krb5_error_code KRB5_CALLCONV
krb5_cc_store_cred (krb5_context context, krb5_ccache cache,
krb5_creds *creds)
{
krb5_error_code ret;
krb5_ticket *tkt;
krb5_principal s1, s2;
/* remove any dups */
krb5_cc_remove_cred(context, cache, 0, creds);
ret = cache->ops->store(context, cache, creds);
if (ret) return ret;
/*
* If creds->server and the server in the decoded ticket differ,
* store both principals.
*/
s1 = creds->server;
ret = decode_krb5_ticket(&creds->ticket, &tkt);
/* Bail out on errors in case someone is storing a non-ticket. */
if (ret) return 0;
s2 = tkt->server;
if (!krb5_principal_compare(context, s1, s2)) {
creds->server = s2;
/* remove any dups */
krb5_cc_remove_cred(context, cache, 0, creds);
ret = cache->ops->store(context, cache, creds);
creds->server = s1;
}
krb5_free_ticket(context, tkt);
return ret;
}
krb5_error_code KRB5_CALLCONV
krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
krb5_flags ap_req_options, krb5_data *in_data,
krb5_creds *in_creds, krb5_data *outbuf)
{
krb5_error_code retval;
krb5_checksum checksum;
krb5_checksum *checksump = 0;
krb5_auth_context new_auth_context;
krb5_enctype *desired_etypes = NULL;
krb5_ap_req request;
krb5_data *scratch = 0;
krb5_data *toutbuf;
request.ap_options = ap_req_options & AP_OPTS_WIRE_MASK;
request.authenticator.ciphertext.data = NULL;
request.ticket = 0;
if (!in_creds->ticket.length)
return(KRB5_NO_TKT_SUPPLIED);
if ((ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) &&
!(ap_req_options & AP_OPTS_MUTUAL_REQUIRED))
return(EINVAL);
/* we need a native ticket */
if ((retval = decode_krb5_ticket(&(in_creds)->ticket, &request.ticket)))
return(retval);
/* verify that the ticket is not expired */
if ((retval = krb5int_validate_times(context, &in_creds->times)) != 0)
goto cleanup;
/* generate auth_context if needed */
if (*auth_context == NULL) {
if ((retval = krb5_auth_con_init(context, &new_auth_context)))
goto cleanup;
*auth_context = new_auth_context;
}
if ((*auth_context)->key != NULL) {
krb5_k_free_key(context, (*auth_context)->key);
(*auth_context)->key = NULL;
}
/* set auth context keyblock */
if ((retval = krb5_k_create_key(context, &in_creds->keyblock,
&((*auth_context)->key))))
goto cleanup;
/* generate seq number if needed */
if ((((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE)
|| ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE))
&& ((*auth_context)->local_seq_number == 0)) {
if ((retval = krb5_generate_seq_number(context, &in_creds->keyblock,
&(*auth_context)->local_seq_number)))
goto cleanup;
}
/* generate subkey if needed */
if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
retval = k5_generate_and_save_subkey(context, *auth_context,
&in_creds->keyblock,
in_creds->keyblock.enctype);
if (retval)
goto cleanup;
}
if (!in_data && (*auth_context)->checksum_func) {
retval = (*auth_context)->checksum_func( context,
*auth_context,
(*auth_context)->checksum_func_data,
&in_data);
if (retval)
goto cleanup;
}
if (in_data) {
if ((*auth_context)->req_cksumtype == 0x8003) {
/* XXX Special hack for GSSAPI */
checksum.checksum_type = 0x8003;
checksum.length = in_data->length;
checksum.contents = (krb5_octet *) in_data->data;
} else {
krb5_enctype enctype = krb5_k_key_enctype(context,
(*auth_context)->key);
krb5_cksumtype cksumtype = ap_req_cksum(context, *auth_context,
enctype);
if ((retval = krb5_k_make_checksum(context,
cksumtype,
(*auth_context)->key,
KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
in_data, &checksum)))
goto cleanup_cksum;
}
checksump = &checksum;
}
/* Generate authenticator */
if (((*auth_context)->authentp = (krb5_authenticator *)malloc(sizeof(
krb5_authenticator))) == NULL) {
retval = ENOMEM;
goto cleanup_cksum;
}
if (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) {
if ((*auth_context)->permitted_etypes == NULL) {
retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes);
if (retval)
goto cleanup_cksum;
} else
desired_etypes = (*auth_context)->permitted_etypes;
}
TRACE_MK_REQ(context, in_creds, (*auth_context)->local_seq_number,
(*auth_context)->send_subkey, &in_creds->keyblock);
if ((retval = generate_authenticator(context,
(*auth_context)->authentp,
in_creds->client, checksump,
(*auth_context)->send_subkey,
(*auth_context)->local_seq_number,
in_creds->authdata,
(*auth_context)->ad_context,
desired_etypes,
in_creds->keyblock.enctype)))
goto cleanup_cksum;
/* encode the authenticator */
if ((retval = encode_krb5_authenticator((*auth_context)->authentp,
&scratch)))
goto cleanup_cksum;
/* call the encryption routine */
if ((retval = krb5_encrypt_helper(context, &in_creds->keyblock,
KRB5_KEYUSAGE_AP_REQ_AUTH,
scratch, &request.authenticator)))
goto cleanup_cksum;
if ((retval = encode_krb5_ap_req(&request, &toutbuf)))
goto cleanup_cksum;
*outbuf = *toutbuf;
free(toutbuf);
cleanup_cksum:
/* Null out these fields, to prevent pointer sharing problems;
* they were supplied by the caller
*/
if ((*auth_context)->authentp != NULL) {
(*auth_context)->authentp->client = NULL;
(*auth_context)->authentp->checksum = NULL;
}
if (checksump && checksump->checksum_type != 0x8003)
free(checksump->contents);
cleanup:
if (desired_etypes &&
desired_etypes != (*auth_context)->permitted_etypes)
free(desired_etypes);
if (request.ticket)
krb5_free_ticket(context, request.ticket);
if (request.authenticator.ciphertext.data) {
(void) memset(request.authenticator.ciphertext.data, 0,
request.authenticator.ciphertext.length);
free(request.authenticator.ciphertext.data);
}
if (scratch) {
memset(scratch->data, 0, scratch->length);
free(scratch->data);
free(scratch);
}
return retval;
}
/* Construct an AP-REQ message for a TGS request. */
static krb5_error_code
tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data,
krb5_creds *tgt, krb5_keyblock *subkey,
krb5_data **ap_req_asn1_out)
{
krb5_cksumtype cksumtype;
krb5_error_code ret;
krb5_checksum checksum;
krb5_authenticator authent;
krb5_ap_req ap_req;
krb5_data *authent_asn1 = NULL;
krb5_ticket *ticket = NULL;
krb5_enc_data authent_enc;
*ap_req_asn1_out = NULL;
memset(&checksum, 0, sizeof(checksum));
memset(&ap_req, 0, sizeof(ap_req));
memset(&authent_enc, 0, sizeof(authent_enc));
/* Determine the authenticator checksum type. */
switch (tgt->keyblock.enctype) {
case ENCTYPE_DES_CBC_CRC:
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_ARCFOUR_HMAC:
case ENCTYPE_ARCFOUR_HMAC_EXP:
cksumtype = context->kdc_req_sumtype;
break;
default:
ret = krb5int_c_mandatory_cksumtype(context, tgt->keyblock.enctype,
&cksumtype);
if (ret)
goto cleanup;
}
/* Generate checksum. */
ret = krb5_c_make_checksum(context, cksumtype, &tgt->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, checksum_data,
&checksum);
if (ret)
goto cleanup;
/* Construct, encode, and encrypt an authenticator. */
authent.subkey = subkey;
authent.seq_number = 0;
authent.checksum = &checksum;
authent.client = tgt->client;
authent.authorization_data = tgt->authdata;
ret = krb5_us_timeofday(context, &authent.ctime, &authent.cusec);
if (ret)
goto cleanup;
ret = encode_krb5_authenticator(&authent, &authent_asn1);
if (ret)
goto cleanup;
ret = krb5_encrypt_helper(context, &tgt->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AUTH, authent_asn1,
&authent_enc);
if (ret)
goto cleanup;
ret = decode_krb5_ticket(&tgt->ticket, &ticket);
if (ret)
goto cleanup;
/* Encode the AP-REQ. */
ap_req.authenticator = authent_enc;
ap_req.ticket = ticket;
ret = encode_krb5_ap_req(&ap_req, ap_req_asn1_out);
cleanup:
free(checksum.contents);
krb5_free_ticket(context, ticket);
krb5_free_data_contents(context, &authent_enc.ciphertext);
if (authent_asn1 != NULL)
zapfree(authent_asn1->data, authent_asn1->length);
free(authent_asn1);
return ret;
}
/*
* Construct a TGS request and return its ASN.1 encoding as well as the
* timestamp, nonce, and subkey used. The pacb_fn callback allows the caller
* to amend the request padata after the nonce and subkey are determined.
*/
krb5_error_code
k5_make_tgs_req(krb5_context context,
struct krb5int_fast_request_state *fast_state,
krb5_creds *tgt, krb5_flags kdcoptions,
krb5_address *const *addrs, krb5_pa_data **in_padata,
krb5_creds *desired, k5_pacb_fn pacb_fn, void *pacb_data,
krb5_data *req_asn1_out, krb5_timestamp *timestamp_out,
krb5_int32 *nonce_out, krb5_keyblock **subkey_out)
{
krb5_error_code ret;
krb5_kdc_req req;
krb5_data *authdata_asn1 = NULL, *req_body_asn1 = NULL;
krb5_data *ap_req_asn1 = NULL, *tgs_req_asn1 = NULL;
krb5_ticket *sec_ticket = NULL;
krb5_ticket *sec_ticket_arr[2];
krb5_timestamp time_now;
krb5_pa_data **padata = NULL, *pa;
krb5_keyblock *subkey = NULL;
krb5_enc_data authdata_enc;
krb5_enctype enctypes[2], *defenctypes = NULL;
size_t count, i;
*req_asn1_out = empty_data();
*timestamp_out = 0;
*nonce_out = 0;
*subkey_out = NULL;
memset(&req, 0, sizeof(req));
memset(&authdata_enc, 0, sizeof(authdata_enc));
/* tgt's client principal must match the desired client principal. */
if (!krb5_principal_compare(context, tgt->client, desired->client))
return KRB5_PRINC_NOMATCH;
/* tgt must be an actual credential, not a template. */
if (!tgt->ticket.length)
return KRB5_NO_TKT_SUPPLIED;
req.kdc_options = kdcoptions;
req.server = desired->server;
req.from = desired->times.starttime;
req.till = desired->times.endtime ? desired->times.endtime :
tgt->times.endtime;
req.rtime = desired->times.renew_till;
ret = krb5_timeofday(context, &time_now);
if (ret)
return ret;
*nonce_out = req.nonce = (krb5_int32)time_now;
*timestamp_out = time_now;
req.addresses = (krb5_address **)addrs;
/* Generate subkey. */
ret = krb5_generate_subkey(context, &tgt->keyblock, &subkey);
if (ret)
return ret;
TRACE_SEND_TGS_SUBKEY(context, subkey);
ret = krb5int_fast_tgs_armor(context, fast_state, subkey, &tgt->keyblock,
NULL, NULL);
if (ret)
goto cleanup;
if (desired->authdata != NULL) {
ret = encode_krb5_authdata(desired->authdata, &authdata_asn1);
if (ret)
goto cleanup;
ret = krb5_encrypt_helper(context, subkey,
KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY,
authdata_asn1, &authdata_enc);
if (ret)
goto cleanup;
req.authorization_data = authdata_enc;
}
if (desired->keyblock.enctype != ENCTYPE_NULL) {
if (!krb5_c_valid_enctype(desired->keyblock.enctype)) {
ret = KRB5_PROG_ETYPE_NOSUPP;
goto cleanup;
}
enctypes[0] = desired->keyblock.enctype;
enctypes[1] = ENCTYPE_NULL;
req.ktype = enctypes;
req.nktypes = 1;
} else {
/* Get the default TGS enctypes. */
ret = krb5_get_tgs_ktypes(context, desired->server, &defenctypes);
if (ret)
goto cleanup;
for (count = 0; defenctypes[count]; count++);
req.ktype = defenctypes;
req.nktypes = count;
}
TRACE_SEND_TGS_ETYPES(context, req.ktype);
if (kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) {
if (desired->second_ticket.length == 0) {
ret = KRB5_NO_2ND_TKT;
goto cleanup;
}
ret = decode_krb5_ticket(&desired->second_ticket, &sec_ticket);
if (ret)
goto cleanup;
sec_ticket_arr[0] = sec_ticket;
sec_ticket_arr[1] = NULL;
req.second_ticket = sec_ticket_arr;
}
/* Encode the request body. */
ret = krb5int_fast_prep_req_body(context, fast_state, &req,
&req_body_asn1);
if (ret)
goto cleanup;
ret = tgs_construct_ap_req(context, req_body_asn1, tgt, subkey,
&ap_req_asn1);
if (ret)
goto cleanup;
for (count = 0; in_padata != NULL && in_padata[count] != NULL; count++);
/* Construct a padata array for the request, beginning with the ap-req. */
padata = k5calloc(count + 2, sizeof(krb5_pa_data *), &ret);
if (padata == NULL)
goto cleanup;
padata[0] = k5alloc(sizeof(krb5_pa_data), &ret);
if (padata[0] == NULL)
goto cleanup;
padata[0]->pa_type = KRB5_PADATA_AP_REQ;
padata[0]->contents = k5memdup(ap_req_asn1->data, ap_req_asn1->length,
&ret);
if (padata[0] == NULL)
goto cleanup;
padata[0]->length = ap_req_asn1->length;
/* Append copies of any other supplied padata. */
for (i = 0; in_padata != NULL && in_padata[i] != NULL; i++) {
pa = k5alloc(sizeof(krb5_pa_data), &ret);
if (pa == NULL)
goto cleanup;
pa->pa_type = in_padata[i]->pa_type;
pa->length = in_padata[i]->length;
pa->contents = k5memdup(in_padata[i]->contents, in_padata[i]->length,
&ret);
if (pa->contents == NULL)
goto cleanup;
padata[i + 1] = pa;
}
req.padata = padata;
if (pacb_fn != NULL) {
ret = (*pacb_fn)(context, subkey, &req, pacb_data);
if (ret)
goto cleanup;
}
/* Encode the TGS-REQ. Discard the krb5_data container. */
ret = krb5int_fast_prep_req(context, fast_state, &req, ap_req_asn1,
encode_krb5_tgs_req, &tgs_req_asn1);
if (ret)
goto cleanup;
*req_asn1_out = *tgs_req_asn1;
free(tgs_req_asn1);
tgs_req_asn1 = NULL;
*subkey_out = subkey;
subkey = NULL;
cleanup:
krb5_free_data(context, authdata_asn1);
krb5_free_data(context, req_body_asn1);
krb5_free_data(context, ap_req_asn1);
krb5_free_pa_data(context, req.padata);
krb5_free_ticket(context, sec_ticket);
krb5_free_data_contents(context, &authdata_enc.ciphertext);
krb5_free_keyblock(context, subkey);
free(defenctypes);
return ret;
}
/*
Sends a request to the TGS and waits for a response.
options is used for the options in the KRB_TGS_REQ.
timestruct values are used for from, till, rtime " " "
enctype is used for enctype " " ", and to encrypt the authorization data,
sname is used for sname " " "
addrs, if non-NULL, is used for addresses " " "
authorization_dat, if non-NULL, is used for authorization_dat " " "
second_ticket, if required by options, is used for the 2nd ticket in the req.
in_cred is used for the ticket & session key in the KRB_AP_REQ header " " "
(the KDC realm is extracted from in_cred->server's realm)
The response is placed into *rep.
rep->response.data is set to point at allocated storage which should be
freed by the caller when finished.
returns system errors
*/
static krb5_error_code
krb5_send_tgs_basic(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf)
{
krb5_error_code retval;
krb5_checksum checksum;
krb5_authenticator authent;
krb5_ap_req request;
krb5_data * scratch;
krb5_data * toutbuf;
/* Generate checksum */
if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype,
&in_cred->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
in_data, &checksum))) {
free(checksum.contents);
return(retval);
}
/* gen authenticator */
authent.subkey = 0;
authent.seq_number = 0;
authent.checksum = &checksum;
authent.client = in_cred->client;
authent.authorization_data = in_cred->authdata;
if ((retval = krb5_us_timeofday(context, &authent.ctime,
&authent.cusec))) {
free(checksum.contents);
return(retval);
}
/* encode the authenticator */
if ((retval = encode_krb5_authenticator(&authent, &scratch))) {
free(checksum.contents);
return(retval);
}
free(checksum.contents);
request.authenticator.ciphertext.data = 0;
request.authenticator.kvno = 0;
request.ap_options = 0;
request.ticket = 0;
if ((retval = decode_krb5_ticket(&(in_cred)->ticket, &request.ticket)))
/* Cleanup scratch and scratch data */
goto cleanup_data;
/* call the encryption routine */
if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AUTH,
scratch, &request.authenticator)))
goto cleanup_ticket;
retval = encode_krb5_ap_req(&request, &toutbuf);
/* Solaris Kerberos */
if (retval == 0) {
*outbuf = *toutbuf;
krb5_xfree(toutbuf);
}
memset(request.authenticator.ciphertext.data, 0,
request.authenticator.ciphertext.length);
free(request.authenticator.ciphertext.data);
cleanup_ticket:
krb5_free_ticket(context, request.ticket);
cleanup_data:
memset(scratch->data, 0, scratch->length);
free(scratch->data);
free(scratch);
return retval;
}
/*
* Solaris Kerberos
* Same as krb5_send_tgs plus an extra arg to return the FQDN
* of the KDC sent the request.
*/
krb5_error_code
krb5_send_tgs2(krb5_context context, krb5_flags kdcoptions,
const krb5_ticket_times *timestruct, const krb5_enctype *ktypes,
krb5_const_principal sname, krb5_address *const *addrs,
krb5_authdata *const *authorization_data,
krb5_pa_data *const *padata, const krb5_data *second_ticket,
krb5_creds *in_cred, krb5_response *rep, char **hostname_used)
{
krb5_error_code retval;
krb5_kdc_req tgsreq;
krb5_data *scratch, scratch2;
krb5_ticket *sec_ticket = 0;
krb5_ticket *sec_ticket_arr[2];
krb5_timestamp time_now;
krb5_pa_data **combined_padata;
krb5_pa_data ap_req_padata;
int tcp_only = 0, use_master;
/*
* in_creds MUST be a valid credential NOT just a partially filled in
* place holder for us to get credentials for the caller.
*/
if (!in_cred->ticket.length)
return(KRB5_NO_TKT_SUPPLIED);
memset((char *)&tgsreq, 0, sizeof(tgsreq));
tgsreq.kdc_options = kdcoptions;
tgsreq.server = (krb5_principal) sname;
tgsreq.from = timestruct->starttime;
tgsreq.till = timestruct->endtime ? timestruct->endtime :
in_cred->times.endtime;
tgsreq.rtime = timestruct->renew_till;
if ((retval = krb5_timeofday(context, &time_now)))
return(retval);
/* XXX we know they are the same size... */
rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now;
rep->request_time = time_now;
tgsreq.addresses = (krb5_address **) addrs;
if (authorization_data) {
/* need to encrypt it in the request */
if ((retval = encode_krb5_authdata(authorization_data,
&scratch)))
return(retval);
if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY,
scratch,
&tgsreq.authorization_data))) {
krb5_xfree(tgsreq.authorization_data.ciphertext.data);
krb5_free_data(context, scratch);
return retval;
}
krb5_free_data(context, scratch);
}
/* Get the encryption types list */
if (ktypes) {
/* Check passed ktypes and make sure they're valid. */
for (tgsreq.nktypes = 0; ktypes[tgsreq.nktypes]; tgsreq.nktypes++) {
if (!krb5_c_valid_enctype(ktypes[tgsreq.nktypes]))
return KRB5_PROG_ETYPE_NOSUPP;
}
tgsreq.ktype = (krb5_enctype *)ktypes;
} else {
/* Get the default ktypes */
/* Solaris Kerberos */
if ((retval = krb5_get_tgs_ktypes(context, sname, &(tgsreq.ktype))))
goto send_tgs_error_2;
for(tgsreq.nktypes = 0; tgsreq.ktype[tgsreq.nktypes]; tgsreq.nktypes++);
}
if (second_ticket) {
if ((retval = decode_krb5_ticket(second_ticket, &sec_ticket)))
goto send_tgs_error_1;
sec_ticket_arr[0] = sec_ticket;
sec_ticket_arr[1] = 0;
tgsreq.second_ticket = sec_ticket_arr;
} else
tgsreq.second_ticket = 0;
/* encode the body; then checksum it */
if ((retval = encode_krb5_kdc_req_body(&tgsreq, &scratch)))
goto send_tgs_error_2;
/*
* Get an ap_req.
*/
if ((retval = krb5_send_tgs_basic(context, scratch, in_cred, &scratch2))) {
krb5_free_data(context, scratch);
goto send_tgs_error_2;
}
krb5_free_data(context, scratch);
ap_req_padata.pa_type = KRB5_PADATA_AP_REQ;
ap_req_padata.length = scratch2.length;
ap_req_padata.contents = (krb5_octet *)scratch2.data;
/* combine in any other supplied padata */
if (padata) {
krb5_pa_data * const * counter;
register unsigned int i = 0;
for (counter = padata; *counter; counter++, i++);
combined_padata = malloc((i+2) * sizeof(*combined_padata));
if (!combined_padata) {
krb5_xfree(ap_req_padata.contents);
retval = ENOMEM;
goto send_tgs_error_2;
}
combined_padata[0] = &ap_req_padata;
for (i = 1, counter = padata; *counter; counter++, i++)
combined_padata[i] = (krb5_pa_data *) *counter;
combined_padata[i] = 0;
} else {
combined_padata = (krb5_pa_data **)malloc(2*sizeof(*combined_padata));
if (!combined_padata) {
krb5_xfree(ap_req_padata.contents);
retval = ENOMEM;
goto send_tgs_error_2;
}
combined_padata[0] = &ap_req_padata;
combined_padata[1] = 0;
}
tgsreq.padata = combined_padata;
/* the TGS_REQ is assembled in tgsreq, so encode it */
if ((retval = encode_krb5_tgs_req(&tgsreq, &scratch))) {
krb5_xfree(ap_req_padata.contents);
krb5_xfree(combined_padata);
goto send_tgs_error_2;
}
krb5_xfree(ap_req_padata.contents);
krb5_xfree(combined_padata);
/* now send request & get response from KDC */
send_again:
use_master = 0;
retval = krb5_sendto_kdc2(context, scratch,
krb5_princ_realm(context, sname),
&rep->response, &use_master, tcp_only,
hostname_used);
if (retval == 0) {
if (krb5_is_krb_error(&rep->response)) {
if (!tcp_only) {
krb5_error *err_reply;
retval = decode_krb5_error(&rep->response, &err_reply);
/* Solaris Kerberos */
if (retval == 0) {
if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) {
tcp_only = 1;
krb5_free_error(context, err_reply);
free(rep->response.data);
rep->response.data = 0;
goto send_again;
}
krb5_free_error(context, err_reply);
}
}
} else if (krb5_is_tgs_rep(&rep->response))
rep->message_type = KRB5_TGS_REP;
else /* XXX: assume it's an error */
rep->message_type = KRB5_ERROR;
}
krb5_free_data(context, scratch);
send_tgs_error_2:;
if (sec_ticket)
krb5_free_ticket(context, sec_ticket);
send_tgs_error_1:;
if (ktypes == NULL)
krb5_xfree(tgsreq.ktype);
if (tgsreq.authorization_data.ciphertext.data) {
memset(tgsreq.authorization_data.ciphertext.data, 0,
tgsreq.authorization_data.ciphertext.length);
krb5_xfree(tgsreq.authorization_data.ciphertext.data);
}
return retval;
}
static krb5_error_code
krb5_mk_ncred_basic(krb5_context context,
krb5_creds **ppcreds, krb5_int32 nppcreds,
krb5_key key, krb5_replay_data *replaydata,
krb5_address *local_addr, krb5_address *remote_addr,
krb5_cred *pcred)
{
krb5_cred_enc_part credenc;
krb5_error_code retval;
size_t size;
int i;
credenc.magic = KV5M_CRED_ENC_PART;
credenc.s_address = 0;
credenc.r_address = 0;
if (local_addr) krb5_copy_addr(context, local_addr, &credenc.s_address);
if (remote_addr) krb5_copy_addr(context, remote_addr, &credenc.r_address);
credenc.nonce = replaydata->seq;
credenc.usec = replaydata->usec;
credenc.timestamp = replaydata->timestamp;
/* Get memory for creds and initialize it */
size = sizeof(krb5_cred_info *) * (nppcreds + 1);
credenc.ticket_info = (krb5_cred_info **) calloc(1, size);
if (credenc.ticket_info == NULL)
return ENOMEM;
/*
* For each credential in the list, initialize a cred info
* structure and copy the ticket into the ticket list.
*/
for (i = 0; i < nppcreds; i++) {
credenc.ticket_info[i] = calloc(1, sizeof(krb5_cred_info));
if (credenc.ticket_info[i] == NULL) {
retval = ENOMEM;
goto cleanup;
}
credenc.ticket_info[i+1] = NULL;
credenc.ticket_info[i]->magic = KV5M_CRED_INFO;
credenc.ticket_info[i]->times = ppcreds[i]->times;
credenc.ticket_info[i]->flags = ppcreds[i]->ticket_flags;
if ((retval = decode_krb5_ticket(&ppcreds[i]->ticket,
&pcred->tickets[i])))
goto cleanup;
if ((retval = krb5_copy_keyblock(context, &ppcreds[i]->keyblock,
&credenc.ticket_info[i]->session)))
goto cleanup;
if ((retval = krb5_copy_principal(context, ppcreds[i]->client,
&credenc.ticket_info[i]->client)))
goto cleanup;
if ((retval = krb5_copy_principal(context, ppcreds[i]->server,
&credenc.ticket_info[i]->server)))
goto cleanup;
if ((retval = krb5_copy_addresses(context, ppcreds[i]->addresses,
&credenc.ticket_info[i]->caddrs)))
goto cleanup;
}
/*
* NULL terminate the lists.
*/
pcred->tickets[i] = NULL;
/* encrypt the credential encrypted part */
retval = encrypt_credencpart(context, &credenc, key, &pcred->enc_part);
cleanup:
krb5_free_cred_enc_part(context, &credenc);
return retval;
}