diff options
Diffstat (limited to 'crypto/kerberosIV/lib/krb/mk_req.c')
-rw-r--r-- | crypto/kerberosIV/lib/krb/mk_req.c | 215 |
1 files changed, 215 insertions, 0 deletions
diff --git a/crypto/kerberosIV/lib/krb/mk_req.c b/crypto/kerberosIV/lib/krb/mk_req.c new file mode 100644 index 0000000..313ea04 --- /dev/null +++ b/crypto/kerberosIV/lib/krb/mk_req.c @@ -0,0 +1,215 @@ +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "krb_locl.h" + +RCSID("$Id: mk_req.c,v 1.17 1997/05/30 17:42:38 bg Exp $"); + +static int lifetime = 255; /* But no longer than TGT says. */ + + +static void +build_request(KTEXT req, char *name, char *inst, char *realm, + u_int32_t checksum) +{ + struct timeval tv; + unsigned char *p = req->dat; + + p += krb_put_nir(name, inst, realm, p); + + p += krb_put_int(checksum, p, 4); + + + /* Fill in the times on the request id */ + gettimeofday(&tv, NULL); + + *p++ = tv.tv_usec / 5000; /* 5ms */ + + p += krb_put_int(tv.tv_sec, p, 4); + + /* Fill to a multiple of 8 bytes for DES */ + req->length = ((p - req->dat + 7)/8) * 8; +} + + +/* + * krb_mk_req takes a text structure in which an authenticator is to + * be built, the name of a service, an instance, a realm, + * and a checksum. It then retrieves a ticket for + * the desired service and creates an authenticator in the text + * structure passed as the first argument. krb_mk_req returns + * KSUCCESS on success and a Kerberos error code on failure. + * + * The peer procedure on the other end is krb_rd_req. When making + * any changes to this routine it is important to make corresponding + * changes to krb_rd_req. + * + * The authenticator consists of the following: + * + * authent->dat + * + * unsigned char KRB_PROT_VERSION protocol version no. + * unsigned char AUTH_MSG_APPL_REQUEST message type + * (least significant + * bit of above) HOST_BYTE_ORDER local byte ordering + * unsigned char kvno from ticket server's key version + * string realm server's realm + * unsigned char tl ticket length + * unsigned char idl request id length + * text ticket->dat ticket for server + * text req_id->dat request id + * + * The ticket information is retrieved from the ticket cache or + * fetched from Kerberos. The request id (called the "authenticator" + * in the papers on Kerberos) contains the following: + * + * req_id->dat + * + * string cr.pname {name, instance, and + * string cr.pinst realm of principal + * string myrealm making this request} + * 4 bytes checksum checksum argument given + * unsigned char tv_local.tf_usec time (milliseconds) + * 4 bytes tv_local.tv_sec time (seconds) + * + * req_id->length = 3 strings + 3 terminating nulls + 5 bytes for time, + * all rounded up to multiple of 8. + */ + +int +krb_mk_req(KTEXT authent, char *service, char *instance, char *realm, + int32_t checksum) +{ + KTEXT_ST req_st; + KTEXT req_id = &req_st; + + CREDENTIALS cr; /* Credentials used by retr */ + KTEXT ticket = &(cr.ticket_st); /* Pointer to tkt_st */ + int retval; /* Returned by krb_get_cred */ + + char myrealm[REALM_SZ]; + + unsigned char *p = authent->dat; + + p += krb_put_int(KRB_PROT_VERSION, p, 1); + + p += krb_put_int(AUTH_MSG_APPL_REQUEST, p, 1); + + /* Get the ticket and move it into the authenticator */ + if (krb_ap_req_debug) + krb_warning("Realm: %s\n", realm); + + retval = krb_get_cred(service,instance,realm,&cr); + + if (retval == RET_NOTKT) { + retval = get_ad_tkt(service, instance, realm, lifetime); + if (retval == KSUCCESS) + retval = krb_get_cred(service, instance, realm, &cr); + } + + if (retval != KSUCCESS) + return retval; + + + /* + * With multi realm ticket files either find a matching TGT or + * else use the first TGT for inter-realm authentication. + * + * In myrealm hold the realm of the principal "owning" the + * corresponding ticket-granting-ticket. + */ + + retval = krb_get_cred(KRB_TICKET_GRANTING_TICKET, realm, realm, 0); + if (retval == KSUCCESS) + strncpy(myrealm, realm, REALM_SZ); + else + retval = krb_get_tf_realm(TKT_FILE, myrealm); + + if (retval != KSUCCESS) + return retval; + + if (krb_ap_req_debug) + krb_warning("serv=%s.%s@%s princ=%s.%s@%s\n", service, instance, realm, + cr.pname, cr.pinst, myrealm); + + p += krb_put_int(cr.kvno, p, 1); + + p += krb_put_string(realm, p); + + p += krb_put_int(ticket->length, p, 1); + + build_request(req_id, cr.pname, cr.pinst, myrealm, checksum); + + encrypt_ktext(req_id, &cr.session, DES_ENCRYPT); + + p += krb_put_int(req_id->length, p, 1); + + memcpy(p, ticket->dat, ticket->length); + + p += ticket->length; + + memcpy(p, req_id->dat, req_id->length); + + p += req_id->length; + + authent->length = p - authent->dat; + + memset(&cr, 0, sizeof(cr)); + memset(&req_st, 0, sizeof(req_st)); + + if (krb_ap_req_debug) + krb_warning("Authent->length = %d\n", authent->length); + + return KSUCCESS; +} + +/* + * krb_set_lifetime sets the default lifetime for additional tickets + * obtained via krb_mk_req(). + * + * It returns the previous value of the default lifetime. + */ + +int +krb_set_lifetime(int newval) +{ + int olife = lifetime; + + lifetime = newval; + return(olife); +} |