2 * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
35 RCSID("$Id: convert_creds.c 22050 2007-11-11 11:20:46Z lha $");
37 #include "krb5-v4compat.h"
39 static krb5_error_code
40 check_ticket_flags(TicketFlags f)
42 return 0; /* maybe add some more tests here? */
46 * Convert the v5 credentials in in_cred to v4-dito in v4creds. This
47 * is done by sending them to the 524 function in the KDC. If
48 * `in_cred' doesn't contain a DES session key, then a new one is
49 * gotten from the KDC and stored in the cred cache `ccache'.
51 * @param context Kerberos 5 context.
52 * @param in_cred the credential to convert
53 * @param v4creds the converted credential
55 * @return Returns 0 to indicate success. Otherwise an kerberos et
56 * error code is returned, see krb5_get_error_message().
58 * @ingroup krb5_v4compat
61 krb5_error_code KRB5_LIB_FUNCTION
62 krb524_convert_creds_kdc(krb5_context context,
64 struct credentials *v4creds)
72 krb5_creds *v5_creds = in_cred;
74 ret = check_ticket_flags(v5_creds->flags.b);
79 krb5_krbhst_handle handle;
81 ret = krb5_krbhst_init(context,
82 krb5_principal_get_realm(context,
89 ret = krb5_sendto (context,
93 krb5_krbhst_free(context, handle);
97 sp = krb5_storage_from_mem(reply.data, reply.length);
100 krb5_set_error_string (context, "malloc: out of memory");
103 krb5_ret_int32(sp, &tmp);
106 memset(v4creds, 0, sizeof(*v4creds));
107 ret = krb5_ret_int32(sp, &tmp);
111 ret = krb5_ret_data(sp, &ticket);
114 v4creds->ticket_st.length = ticket.length;
115 memcpy(v4creds->ticket_st.dat, ticket.data, ticket.length);
116 krb5_data_free(&ticket);
117 ret = krb5_524_conv_principal(context,
124 v4creds->issue_date = v5_creds->times.starttime;
125 v4creds->lifetime = _krb5_krb_time_to_life(v4creds->issue_date,
126 v5_creds->times.endtime);
127 ret = krb5_524_conv_principal(context, v5_creds->client,
133 memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8);
135 krb5_set_error_string(context, "converting credentials: %s",
136 krb5_get_err_text(context, ret));
139 krb5_storage_free(sp);
140 krb5_data_free(&reply);
142 if (v5_creds != in_cred)
143 krb5_free_creds (context, v5_creds);
148 * Convert the v5 credentials in in_cred to v4-dito in v4creds,
149 * check the credential cache ccache before checking with the KDC.
151 * @param context Kerberos 5 context.
152 * @param ccache credential cache used to check for des-ticket.
153 * @param in_cred the credential to convert
154 * @param v4creds the converted credential
156 * @return Returns 0 to indicate success. Otherwise an kerberos et
157 * error code is returned, see krb5_get_error_message().
159 * @ingroup krb5_v4compat
162 krb5_error_code KRB5_LIB_FUNCTION
163 krb524_convert_creds_kdc_ccache(krb5_context context,
166 struct credentials *v4creds)
169 krb5_creds *v5_creds = in_cred;
170 krb5_keytype keytype;
172 keytype = v5_creds->session.keytype;
174 if (keytype != ENCTYPE_DES_CBC_CRC) {
175 /* MIT krb524d doesn't like nothing but des-cbc-crc tickets,
179 memset (&template, 0, sizeof(template));
180 template.session.keytype = ENCTYPE_DES_CBC_CRC;
181 ret = krb5_copy_principal (context, in_cred->client, &template.client);
183 krb5_free_cred_contents (context, &template);
186 ret = krb5_copy_principal (context, in_cred->server, &template.server);
188 krb5_free_cred_contents (context, &template);
192 ret = krb5_get_credentials (context, 0, ccache,
193 &template, &v5_creds);
194 krb5_free_cred_contents (context, &template);
199 ret = krb524_convert_creds_kdc(context, v5_creds, v4creds);
201 if (v5_creds != in_cred)
202 krb5_free_creds (context, v5_creds);