2 * Copyright (c) 1997 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by Kungliga Tekniska
20 * Högskolan and its contributors.
22 * 4. Neither the name of the Institute nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
26 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 #include <krb5_locl.h>
44 krb5_rd_cred (krb5_context context
,
45 krb5_auth_context auth_context
,
52 EncKrbCredPart enc_krb_cred_part
;
53 krb5_data enc_krb_cred_part_data
;
56 ret
= decode_KRB_CRED (in_data
->data
, in_data
->length
,
62 ret
= KRB5KRB_AP_ERR_BADVERSION
;
66 if (cred
.msg_type
!= krb_cred
) {
67 ret
= KRB5KRB_AP_ERR_MSG_TYPE
;
71 ret
= krb5_decrypt (context
,
72 cred
.enc_part
.cipher
.data
,
73 cred
.enc_part
.cipher
.length
,
75 &auth_context
->remote_subkey
,
76 &enc_krb_cred_part_data
);
81 ret
= decode_EncKrbCredPart (enc_krb_cred_part_data
.data
,
82 enc_krb_cred_part_data
.length
,
88 /* check sender address */
90 if (enc_krb_cred_part
.s_address
91 && auth_context
->remote_address
92 && !krb5_address_compare (context
,
93 auth_context
->remote_address
,
94 enc_krb_cred_part
.s_address
)) {
95 ret
= KRB5KRB_AP_ERR_BADADDR
;
99 /* check receiver address */
101 if (enc_krb_cred_part
.r_address
102 && !krb5_address_compare (context
,
103 auth_context
->local_address
,
104 enc_krb_cred_part
.r_address
)) {
105 ret
= KRB5KRB_AP_ERR_BADADDR
;
109 /* check timestamp */
110 if (auth_context
->flags
& KRB5_AUTH_CONTEXT_DO_TIME
) {
113 krb5_timeofday (context
, &sec
);
115 if (enc_krb_cred_part
.timestamp
== NULL
||
116 enc_krb_cred_part
.usec
== NULL
||
117 abs(*enc_krb_cred_part
.timestamp
- sec
)
118 > context
->max_skew
) {
119 ret
= KRB5KRB_AP_ERR_SKEW
;
124 /* XXX - check replay cache */
126 /* Store the creds in the ccache */
128 for (i
= 0; i
< enc_krb_cred_part
.ticket_info
.len
; ++i
) {
129 KrbCredInfo
*kci
= &enc_krb_cred_part
.ticket_info
.val
[i
];
134 memset (&creds
, 0, sizeof(creds
));
136 ret
= encode_Ticket (buf
+ sizeof(buf
) - 1, sizeof(buf
),
137 &cred
.tickets
.val
[i
],
141 krb5_data_copy (&creds
.ticket
, buf
+ sizeof(buf
) - len
, len
);
142 copy_EncryptionKey (&kci
->key
, &creds
.session
);
143 if (kci
->prealm
&& kci
->pname
)
144 principalname2krb5_principal (&creds
.client
,
148 creds
.flags
.b
= *kci
->flags
;
150 creds
.times
.authtime
= *kci
->authtime
;
152 creds
.times
.starttime
= *kci
->starttime
;
154 creds
.times
.endtime
= *kci
->endtime
;
156 creds
.times
.renew_till
= *kci
->renew_till
;
157 if (kci
->srealm
&& kci
->sname
)
158 principalname2krb5_principal (&creds
.server
,
162 krb5_copy_addresses (context
,
165 krb5_cc_store_cred (context
, ccache
, &creds
);
169 free_KRB_CRED (&cred
);