![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to get_ad_tkt.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / krb|
Return to get_ad_tkt.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / kerberosIV / krb |
1.1 ! root 1: /* ! 2: * $Source: /usr/src/kerberosIV/krb/RCS/get_ad_tkt.c,v $ ! 3: * $Author: kfall $ ! 4: * ! 5: * Copyright 1986, 1987, 1988 by the Massachusetts Institute ! 6: * of Technology. ! 7: * ! 8: * For copying and distribution information, please see the file ! 9: * <mit-copyright.h>. ! 10: */ ! 11: ! 12: #ifndef lint ! 13: static char *rcsid_get_ad_tkt_c = ! 14: "$Header: /usr/src/kerberosIV/krb/RCS/get_ad_tkt.c,v 4.16 90/06/25 20:55:44 kfall Exp $"; ! 15: #endif /* lint */ ! 16: ! 17: #include <mit-copyright.h> ! 18: #include <des.h> ! 19: #include <krb.h> ! 20: #include <prot.h> ! 21: #include <strings.h> ! 22: ! 23: #include <stdio.h> ! 24: #include <errno.h> ! 25: ! 26: /* use the bsd time.h struct defs for PC too! */ ! 27: #include <sys/time.h> ! 28: #include <sys/types.h> ! 29: ! 30: extern int krb_debug; ! 31: ! 32: struct timeval tt_local = { 0, 0 }; ! 33: ! 34: int swap_bytes; ! 35: unsigned long rep_err_code; ! 36: ! 37: /* ! 38: * get_ad_tkt obtains a new service ticket from Kerberos, using ! 39: * the ticket-granting ticket which must be in the ticket file. ! 40: * It is typically called by krb_mk_req() when the client side ! 41: * of an application is creating authentication information to be ! 42: * sent to the server side. ! 43: * ! 44: * get_ad_tkt takes four arguments: three pointers to strings which ! 45: * contain the name, instance, and realm of the service for which the ! 46: * ticket is to be obtained; and an integer indicating the desired ! 47: * lifetime of the ticket. ! 48: * ! 49: * It returns an error status if the ticket couldn't be obtained, ! 50: * or AD_OK if all went well. The ticket is stored in the ticket ! 51: * cache. ! 52: * ! 53: * The request sent to the Kerberos ticket-granting service looks ! 54: * like this: ! 55: * ! 56: * pkt->dat ! 57: * ! 58: * TEXT original contents of authenticator+ticket ! 59: * pkt->dat built in krb_mk_req call ! 60: * ! 61: * 4 bytes time_ws always 0 (?) ! 62: * char lifetime lifetime argument passed ! 63: * string service service name argument ! 64: * string sinstance service instance arg. ! 65: * ! 66: * See "prot.h" for the reply packet layout and definitions of the ! 67: * extraction macros like pkt_version(), pkt_msg_type(), etc. ! 68: */ ! 69: ! 70: get_ad_tkt(service,sinstance,realm,lifetime) ! 71: char *service; ! 72: char *sinstance; ! 73: char *realm; ! 74: int lifetime; ! 75: { ! 76: static KTEXT_ST pkt_st; ! 77: KTEXT pkt = & pkt_st; /* Packet to KDC */ ! 78: static KTEXT_ST rpkt_st; ! 79: KTEXT rpkt = &rpkt_st; /* Returned packet */ ! 80: static KTEXT_ST cip_st; ! 81: KTEXT cip = &cip_st; /* Returned Ciphertext */ ! 82: static KTEXT_ST tkt_st; ! 83: KTEXT tkt = &tkt_st; /* Current ticket */ ! 84: C_Block ses; /* Session key for tkt */ ! 85: CREDENTIALS cr; ! 86: int kvno; /* Kvno for session key */ ! 87: char lrealm[REALM_SZ]; ! 88: C_Block key; /* Key for decrypting cipher */ ! 89: Key_schedule key_s; ! 90: long time_ws = 0; ! 91: ! 92: char s_name[SNAME_SZ]; ! 93: char s_instance[INST_SZ]; ! 94: int msg_byte_order; ! 95: int kerror; ! 96: char rlm[REALM_SZ]; ! 97: char *ptr; ! 98: ! 99: unsigned long kdc_time; /* KDC time */ ! 100: ! 101: if ((kerror = krb_get_tf_realm(TKT_FILE, lrealm)) != KSUCCESS) ! 102: return(kerror); ! 103: ! 104: /* Create skeleton of packet to be sent */ ! 105: (void) gettimeofday(&tt_local,(struct timezone *) 0); ! 106: ! 107: pkt->length = 0; ! 108: ! 109: /* ! 110: * Look for the session key (and other stuff we don't need) ! 111: * in the ticket file for krbtgt.realm@lrealm where "realm" ! 112: * is the service's realm (passed in "realm" argument) and ! 113: * lrealm is the realm of our initial ticket. If we don't ! 114: * have this, we will try to get it. ! 115: */ ! 116: ! 117: if ((kerror = krb_get_cred("krbtgt",realm,lrealm,&cr)) != KSUCCESS) { ! 118: /* ! 119: * If realm == lrealm, we have no hope, so let's not even try. ! 120: */ ! 121: if ((strncmp(realm, lrealm, REALM_SZ)) == 0) ! 122: return(AD_NOTGT); ! 123: else{ ! 124: if ((kerror = ! 125: get_ad_tkt("krbtgt",realm,lrealm,lifetime)) != KSUCCESS) ! 126: return(kerror); ! 127: if ((kerror = krb_get_cred("krbtgt",realm,lrealm,&cr)) != KSUCCESS) ! 128: return(kerror); ! 129: } ! 130: } ! 131: ! 132: /* ! 133: * Make up a request packet to the "krbtgt.realm@lrealm". ! 134: * Start by calling krb_mk_req() which puts ticket+authenticator ! 135: * into "pkt". Then tack other stuff on the end. ! 136: */ ! 137: ! 138: kerror = krb_mk_req(pkt,"krbtgt",realm,lrealm,0L); ! 139: ! 140: if (kerror) ! 141: return(AD_NOTGT); ! 142: ! 143: /* timestamp */ ! 144: bcopy((char *) &time_ws,(char *) (pkt->dat+pkt->length),4); ! 145: pkt->length += 4; ! 146: *(pkt->dat+(pkt->length)++) = (char) lifetime; ! 147: (void) strcpy((char *) (pkt->dat+pkt->length),service); ! 148: pkt->length += 1 + strlen(service); ! 149: (void) strcpy((char *)(pkt->dat+pkt->length),sinstance); ! 150: pkt->length += 1 + strlen(sinstance); ! 151: ! 152: rpkt->length = 0; ! 153: ! 154: /* Send the request to the local ticket-granting server */ ! 155: if (kerror = send_to_kdc(pkt, rpkt, realm)) return(kerror); ! 156: ! 157: /* check packet version of the returned packet */ ! 158: if (pkt_version(rpkt) != KRB_PROT_VERSION ) ! 159: return(INTK_PROT); ! 160: ! 161: /* Check byte order */ ! 162: msg_byte_order = pkt_msg_type(rpkt) & 1; ! 163: swap_bytes = 0; ! 164: if (msg_byte_order != HOST_BYTE_ORDER) ! 165: swap_bytes++; ! 166: ! 167: switch (pkt_msg_type(rpkt) & ~1) { ! 168: case AUTH_MSG_KDC_REPLY: ! 169: break; ! 170: case AUTH_MSG_ERR_REPLY: ! 171: bcopy(pkt_err_code(rpkt), (char *) &rep_err_code, 4); ! 172: if (swap_bytes) ! 173: swap_u_long(rep_err_code); ! 174: return(rep_err_code); ! 175: ! 176: default: ! 177: return(INTK_PROT); ! 178: } ! 179: ! 180: /* Extract the ciphertext */ ! 181: cip->length = pkt_clen(rpkt); /* let clen do the swap */ ! 182: ! 183: bcopy((char *) pkt_cipher(rpkt),(char *) (cip->dat),cip->length); ! 184: ! 185: #ifndef NOENCRYPTION ! 186: /* Attempt to decrypt it */ ! 187: ! 188: key_sched(cr.session,key_s); ! 189: if (krb_debug) printf("About to do decryption ..."); ! 190: pcbc_encrypt((C_Block *)cip->dat,(C_Block *)cip->dat, ! 191: (long) cip->length,key_s,cr.session,0); ! 192: #endif /* !NOENCRYPTION */ ! 193: /* Get rid of all traces of key */ ! 194: bzero((char *) cr.session, sizeof(key)); ! 195: bzero((char *) key_s, sizeof(key_s)); ! 196: ! 197: ptr = (char *) cip->dat; ! 198: ! 199: bcopy(ptr,(char *)ses,8); ! 200: ptr += 8; ! 201: ! 202: (void) strcpy(s_name,ptr); ! 203: ptr += strlen(s_name) + 1; ! 204: ! 205: (void) strcpy(s_instance,ptr); ! 206: ptr += strlen(s_instance) + 1; ! 207: ! 208: (void) strcpy(rlm,ptr); ! 209: ptr += strlen(rlm) + 1; ! 210: ! 211: lifetime = (unsigned long) ptr[0]; ! 212: kvno = (unsigned long) ptr[1]; ! 213: tkt->length = (int) ptr[2]; ! 214: ptr += 3; ! 215: bcopy(ptr,(char *)(tkt->dat),tkt->length); ! 216: ptr += tkt->length; ! 217: ! 218: if (strcmp(s_name, service) || strcmp(s_instance, sinstance) || ! 219: strcmp(rlm, realm)) /* not what we asked for */ ! 220: return(INTK_ERR); /* we need a better code here XXX */ ! 221: ! 222: /* check KDC time stamp */ ! 223: bcopy(ptr,(char *)&kdc_time,4); /* Time (coarse) */ ! 224: if (swap_bytes) swap_u_long(kdc_time); ! 225: ! 226: ptr += 4; ! 227: ! 228: (void) gettimeofday(&tt_local,(struct timezone *) 0); ! 229: if (abs((int)(tt_local.tv_sec - kdc_time)) > CLOCK_SKEW) { ! 230: return(RD_AP_TIME); /* XXX should probably be better ! 231: code */ ! 232: } ! 233: ! 234: if (kerror = save_credentials(s_name,s_instance,rlm,ses,lifetime, ! 235: kvno,tkt,tt_local.tv_sec)) ! 236: return(kerror); ! 237: ! 238: return(AD_OK); ! 239: }
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.