/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
/*
* lib/krb5/krb/send_tgs.c
*
* Copyright 1990,1991,2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*/
/*
*/
/*
* krb5_send_tgs()
*/
#include "k5-int.h"
#include "int-proto.h"
/*
Constructs a TGS request
options is used for the options in the KRB_TGS_REQ.
timestruct values are used for from, till, rtime " " "
enctype is used for enctype " " ", and to encrypt the authorization data,
sname is used for sname " " "
addrs, if non-NULL, is used for addresses " " "
authorization_dat, if non-NULL, is used for authorization_dat " " "
second_ticket, if required by options, is used for the 2nd ticket in the req.
in_cred is used for the ticket & session key in the KRB_AP_REQ header " " "
(the KDC realm is extracted from in_cred->server's realm)
The response is placed into *rep.
rep->response.data is set to point at allocated storage which should be
freed by the caller when finished.
returns system errors
*/
static krb5_error_code
{
request.ap_options = 0;
case ENCTYPE_DES_CBC_CRC:
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_ARCFOUR_HMAC:
case ENCTYPE_ARCFOUR_HMAC_EXP:
break;
default:
if (retval)
goto cleanup;
}
/* Generate checksum */
goto cleanup;
}
/* gen authenticator */
authent.seq_number = 0;
goto cleanup;
/* encode the authenticator */
goto cleanup;
/* Cleanup scratch and scratch data */
goto cleanup;
/* call the encryption routine */
goto cleanup;
}
}
return retval;
}
/*
* Note that this function fills in part of rep even on failure.
*
* The pacb_fct callback allows the caller access to the nonce
* and request subkey, for binding preauthentication data
*/
/*
* Solaris Kerberos
* Modified to return the krb5_kdc_req associated with request_data
* for use by the DTrace probes.
* Must be freed by caller.
*/
const krb5_ticket_times *timestruct,
const krb5_enctype *ktypes,
krb5_address *const *addrs,
krb5_authdata *const *authorization_data,
krb5_pa_data *const *padata,
const krb5_data *second_ticket,
krb5_kdc_req *,
void *),
void *pacb_data,
{
/*
* in_creds MUST be a valid credential NOT just a partially filled in
* place holder for us to get credentials for the caller.
*/
return(KRB5_NO_TKT_SUPPLIED);
return(retval);
/* XXX we know they are the same size... */
/* Generate subkey*/
&local_subkey)) != 0)
return retval;
if (authorization_data) {
/* need to encrypt it in the request */
goto send_tgs_error_1;
&tgsreq.authorization_data))) {
goto send_tgs_error_1;
}
}
/* Get the encryption types list */
if (ktypes) {
/* Check passed ktypes and make sure they're valid. */
return KRB5_PROG_ETYPE_NOSUPP;
}
} else {
/* Get the default ktypes */
}
if (second_ticket) {
goto send_tgs_error_1;
sec_ticket_arr[0] = sec_ticket;
sec_ticket_arr[1] = 0;
} else
tgsreq.second_ticket = 0;
/* encode the body; then checksum it */
goto send_tgs_error_2;
/*
* Get an ap_req.
*/
&scratch2, local_subkey))) {
goto send_tgs_error_2;
}
goto send_tgs_error_2;
}
goto send_tgs_error_2;
}
/* combine in any other supplied padata, unfortunately now it is
* necessary to copy it as the callback function might modify the
* padata, and having a separate path for the non-callback case,
* or attempting to determine which elements were changed by the
* callback, would have complicated the code significantly.
*/
if (padata) {
int i;
for (i = 0; padata[i]; i++)
;
(i + 2) * sizeof(*combined_padata));
goto send_tgs_error_2;
for (i = 0; padata[i]; i++) {
goto send_tgs_error_2;
}
goto send_tgs_error_2;
}
}
}
goto send_tgs_error_2;
}
/* the TGS_REQ is assembled in tgsreq, so encode it */
goto send_tgs_error_2;
/*
* Solaris Kerberos
* Copy the tgsreq structure so that it is available to the DTrace
* probes. Clear the kdc_state member as it is not used by the probes
* and will only cause assertion failures with non-debug bits.
*/
}
/* now send request & get response from KDC */
*request_data = *scratch;
if (sec_ticket)
}
if (retval)
else
*subkey = local_subkey;
return retval;
}
/* Solaris Kerberos: dead code begin */
#if 0 /************** Begin IFDEF'ed OUT *******************************/
const krb5_ticket_times *timestruct,
const krb5_enctype *ktypes,
krb5_authdata *const *authorization_data,
krb5_kdc_req *,
void *),
void *pacb_data,
{
int tcp_only = 0, use_master;
*subkey_out = NULL;
if (retval != 0)
return retval;
use_master = 0;
if (retval != 0)
break;
/* Successful response; set the output subkey. */
*subkey_out = subkey;
break;
/* Decode the error response to extract the code. */
if (err == KRB_ERR_RESPONSE_TOO_BIG) {
/* Try again with TCP. */
continue;
}
}
/* Unexpected message type, or an error other than RESPONSE_TOO_BIG. */
break;
}
return retval;
}
#endif /**************** END IFDEF'ed OUT *******************************/
/* Solaris Kerberos: dead code end */