forward.c

inetutils的源代码

    if (retval = encode_krb5_enc_cred_part(&cred_enc_part, &scratch))
      return retval;

#define cleanup_scratch() { (void) memset(scratch->data, 0, scratch->length); krb5_free_data(scratch); }

    /* put together an eblock for this encryption */

    krb5_use_cstype(&eblock, etype);
    ret_cred.enc_part.ciphertext.length = krb5_encrypt_size(scratch->length,
						eblock.crypto_entry);
    /* add padding area, and zero it */
    if (!(scratch->data = realloc(scratch->data,
				  ret_cred.enc_part.ciphertext.length))) {
	/* may destroy scratch->data */
	krb5_xfree(scratch);
	return ENOMEM;
    }
    memset(scratch->data + scratch->length, 0,
	  ret_cred.enc_part.ciphertext.length - scratch->length);
    if (!(ret_cred.enc_part.ciphertext.data =
	  malloc(ret_cred.enc_part.ciphertext.length))) {
	retval = ENOMEM;
	goto clean_scratch;
    }

#define cleanup_encpart() {\
	(void) memset(ret_cred.enc_part.ciphertext.data, 0, \
	     ret_cred.enc_part.ciphertext.length); \
	free(ret_cred.enc_part.ciphertext.data); \
	ret_cred.enc_part.ciphertext.length = 0; \
	ret_cred.enc_part.ciphertext.data = 0;}

    /* do any necessary key pre-processing */
    if (retval = krb5_process_key(&eblock, key)) {
	goto clean_encpart;
    }

#define cleanup_prockey() {(void) krb5_finish_key(&eblock);}

    /* call the encryption routine */
    if (retval = krb5_encrypt((krb5_pointer) scratch->data,
			      (krb5_pointer)
			      ret_cred.enc_part.ciphertext.data,
			      scratch->length, &eblock,
			      0)) {
	goto clean_prockey;
    }

    /* private message is now assembled-- do some cleanup */
    cleanup_scratch();

    if (retval = krb5_finish_key(&eblock)) {
	cleanup_encpart();
	return retval;
    }
    /* encode private message */
    if (retval = encode_krb5_cred(&ret_cred, &scratch))  {
	cleanup_encpart();
	return retval;
    }

    cleanup_encpart();

    *outbuf = *scratch;
    krb5_xfree(scratch);
    return 0;

 clean_prockey:
    cleanup_prockey();
 clean_encpart:
    cleanup_encpart();
 clean_scratch:
    cleanup_scratch();

    return retval;
#undef cleanup_prockey
#undef cleanup_encpart
#undef cleanup_scratch
}



/* Decode, decrypt and store the forwarded creds in the local ccache. */
krb5_error_code
rd_and_store_for_creds(inbuf, ticket, lusername)
     krb5_data *inbuf;
     krb5_ticket *ticket;
     char *lusername;
{
    krb5_encrypt_block eblock;
    krb5_creds creds;
    krb5_error_code retval;
    char ccname[35];
    krb5_ccache ccache = NULL;
    struct passwd *pwd;

    if (retval = rd_cred(inbuf, ticket->enc_part2->session,
			 &creds, 0, 0)) {
	return(retval);
    }

    if (!(pwd = (struct passwd *) getpwnam(lusername))) {
	return -1;
    }

    sprintf(ccname, "FILE:/tmp/krb5cc_%d", pwd->pw_uid);

    if (retval = krb5_cc_resolve(ccname, &ccache)) {
	return(retval);
    }

    if (retval = krb5_cc_initialize(ccache,
				    ticket->enc_part2->client)) {
	return(retval);
    }

    if (retval = krb5_cc_store_cred(ccache, &creds)) {
	return(retval);
    }

    if (retval = chown(ccname+5, pwd->pw_uid, -1)) {
	return(retval);
    }

    return retval;
}



extern krb5_deltat krb5_clockskew;
#define in_clock_skew(date) (abs((date)-currenttime) < krb5_clockskew)

/* Decode the KRB-CRED message, and return creds */
krb5_error_code
rd_cred(inbuf, key, creds, sender_addr, recv_addr)
const krb5_data *inbuf;
const krb5_keyblock *key;
krb5_creds *creds;		  /* Filled in */
const krb5_address *sender_addr;  /* optional */
const krb5_address *recv_addr;	  /* optional */
{
    krb5_error_code retval;
    krb5_encrypt_block eblock;
    krb5_cred *credmsg;
    krb5_cred_enc_part *credmsg_enc_part;
    krb5_data *scratch;
    krb5_timestamp currenttime;

    if (!krb5_is_krb_cred(inbuf))
	return KRB5KRB_AP_ERR_MSG_TYPE;

    /* decode private message */
    if (retval = decode_krb5_cred(inbuf, &credmsg))  {
	return retval;
    }

#define cleanup_credmsg() {(void)krb5_xfree(credmsg->enc_part.ciphertext.data); (void)krb5_xfree(credmsg);}

    if (!(scratch = (krb5_data *) malloc(sizeof(*scratch)))) {
	cleanup_credmsg();
	return ENOMEM;
    }

#define cleanup_scratch() {(void)memset(scratch->data, 0, scratch->length); (void)krb5_xfree(scratch->data);}

    if (retval = encode_krb5_ticket(credmsg->tickets[0], &scratch)) {
	cleanup_credmsg();
	cleanup_scratch();
	return(retval);
    }

    creds->ticket = *scratch;
    if (!(creds->ticket.data = malloc(scratch->length))) {
	krb5_xfree(creds->ticket.data);
	return ENOMEM;
    }
    memmove((char *)creds->ticket.data, (char *) scratch->data, scratch->length);

    cleanup_scratch();

    if (!valid_etype(credmsg->enc_part.etype)) {
	cleanup_credmsg();
	return KRB5_PROG_ETYPE_NOSUPP;
    }

    /* put together an eblock for this decryption */

    krb5_use_cstype(&eblock, credmsg->enc_part.etype);
    scratch->length = credmsg->enc_part.ciphertext.length;

    if (!(scratch->data = malloc(scratch->length))) {
	cleanup_credmsg();
	return ENOMEM;
    }

    /* do any necessary key pre-processing */
    if (retval = krb5_process_key(&eblock, key)) {
	cleanup_credmsg();
	cleanup_scratch();
	return retval;
    }

#define cleanup_prockey() {(void) krb5_finish_key(&eblock);}

    /* call the decryption routine */
    if (retval = krb5_decrypt((krb5_pointer) credmsg->enc_part.ciphertext.data,
			      (krb5_pointer) scratch->data,
			      scratch->length, &eblock,
			      0)) {
	cleanup_credmsg();
	cleanup_scratch();
	cleanup_prockey();
	return retval;
    }

    /* cred message is now decrypted -- do some cleanup */

    cleanup_credmsg();

    if (retval = krb5_finish_key(&eblock)) {
	cleanup_scratch();
	return retval;
    }

    /*  now decode the decrypted stuff */
    if (retval = decode_krb5_enc_cred_part(scratch, &credmsg_enc_part)) {
	cleanup_scratch();
	return retval;
    }
    cleanup_scratch();

#define cleanup_mesg() {(void)krb5_xfree(credmsg_enc_part);}

    if (retval = krb5_timeofday(&currenttime)) {
	cleanup_mesg();
	return retval;
    }
    if (!in_clock_skew(credmsg_enc_part->timestamp)) {
	cleanup_mesg();
	return KRB5KRB_AP_ERR_SKEW;
    }

    if (sender_addr && credmsg_enc_part->s_address &&
	!krb5_address_compare(sender_addr,
			      credmsg_enc_part->s_address)) {
	cleanup_mesg();
	return KRB5KRB_AP_ERR_BADADDR;
    }
    if (recv_addr && credmsg_enc_part->r_address &&
	!krb5_address_compare(recv_addr,
			      credmsg_enc_part->r_address)) {
	cleanup_mesg();
	return KRB5KRB_AP_ERR_BADADDR;
    }

    if (credmsg_enc_part->r_address) {
	krb5_address **our_addrs;

	if (retval = krb5_os_localaddr(&our_addrs)) {
	    cleanup_mesg();
	    return retval;
	}
	if (!krb5_address_search(credmsg_enc_part->r_address,
				 our_addrs)) {
	    krb5_free_addresses(our_addrs);
	    cleanup_mesg();
	    return KRB5KRB_AP_ERR_BADADDR;
	}
	krb5_free_addresses(our_addrs);
    }

    if (retval = krb5_copy_principal(credmsg_enc_part->ticket_info[0]->client,
				     &creds->client)) {
	return(retval);
    }

    if (retval = krb5_copy_principal(credmsg_enc_part->ticket_info[0]->server,
				     &creds->server)) {
	return(retval);
    }

    if (retval =
	krb5_copy_keyblock_contents(credmsg_enc_part->ticket_info[0]->session,
				    &creds->keyblock)) {
	return(retval);
    }

#undef clean
#define clean() {\
	memset((char *)creds->keyblock.contents, 0, creds->keyblock.length);}

    creds->times = credmsg_enc_part->ticket_info[0]->times;
    creds->is_skey = FALSE;
    creds->ticket_flags = credmsg_enc_part->ticket_info[0]->flags;

    if (retval = krb5_copy_addresses(credmsg_enc_part->ticket_info[0]->caddrs,
				     &creds->addresses)) {
	clean();
	return(retval);
    }

    creds->second_ticket.length = 0;

    creds->authdata = 0;

    cleanup_mesg();
    return 0;
#undef clean
#undef cleanup_credmsg
#undef cleanup_scratch
#undef cleanup_prockey
#undef cleanup_mesg
}

#endif /* defined(KRB5) && defined(FORWARD) */