1
/*
2
 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3
 * (Royal Institute of Technology, Stockholm, Sweden).
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 *
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * 3. Neither the name of the Institute nor the names of its contributors
18
 *    may be used to endorse or promote products derived from this software
19
 *    without specific prior written permission.
20
 *
21
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31
 * SUCH DAMAGE.
32
 */
33

34
#include "krb5_locl.h"
35

36
/**
37
 * Free content of krb5_creds.
38
 *
39
 * @param context Kerberos 5 context.
40
 * @param c krb5_creds to free.
41
 *
42
 * @return Returns 0 to indicate success. Otherwise an kerberos et
43
 * error code is returned, see krb5_get_error_message().
44
 *
45
 * @ingroup krb5
46
 */
47

48
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
49
krb5_free_cred_contents (krb5_context context, krb5_creds *c)
50
{
51
    krb5_free_principal (context, c->client);
52
    c->client = NULL;
53
    krb5_free_principal (context, c->server);
54
    c->server = NULL;
55
    krb5_free_keyblock_contents (context, &c->session);
56
    krb5_data_free (&c->ticket);
57
    krb5_data_free (&c->second_ticket);
58
    free_AuthorizationData (&c->authdata);
59
    krb5_free_addresses (context, &c->addresses);
60
    memset(c, 0, sizeof(*c));
61
    return 0;
62
}
63

64
/**
65
 * Copy content of krb5_creds.
66
 *
67
 * @param context Kerberos 5 context.
68
 * @param incred source credential
69
 * @param c destination credential, free with krb5_free_cred_contents().
70
 *
71
 * @return Returns 0 to indicate success. Otherwise an kerberos et
72
 * error code is returned, see krb5_get_error_message().
73
 *
74
 * @ingroup krb5
75
 */
76

77
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
78
krb5_copy_creds_contents (krb5_context context,
79
			  const krb5_creds *incred,
80
			  krb5_creds *c)
81
{
82
    krb5_error_code ret;
83

84
    memset(c, 0, sizeof(*c));
85
    ret = krb5_copy_principal (context, incred->client, &c->client);
86
    if (ret)
87
	goto fail;
88
    ret = krb5_copy_principal (context, incred->server, &c->server);
89
    if (ret)
90
	goto fail;
91
    ret = krb5_copy_keyblock_contents (context, &incred->session, &c->session);
92
    if (ret)
93
	goto fail;
94
    c->times = incred->times;
95
    ret = krb5_data_copy (&c->ticket,
96
			  incred->ticket.data,
97
			  incred->ticket.length);
98
    if (ret)
99
	goto fail;
100
    ret = krb5_data_copy (&c->second_ticket,
101
			  incred->second_ticket.data,
102
			  incred->second_ticket.length);
103
    if (ret)
104
	goto fail;
105
    ret = copy_AuthorizationData(&incred->authdata, &c->authdata);
106
    if (ret)
107
	goto fail;
108
    ret = krb5_copy_addresses (context,
109
			       &incred->addresses,
110
			       &c->addresses);
111
    if (ret)
112
	goto fail;
113
    c->flags = incred->flags;
114
    return 0;
115

116
fail:
117
    krb5_free_cred_contents (context, c);
118
    return ret;
119
}
120

121
/**
122
 * Copy krb5_creds.
123
 *
124
 * @param context Kerberos 5 context.
125
 * @param incred source credential
126
 * @param outcred destination credential, free with krb5_free_creds().
127
 *
128
 * @return Returns 0 to indicate success. Otherwise an kerberos et
129
 * error code is returned, see krb5_get_error_message().
130
 *
131
 * @ingroup krb5
132
 */
133

134
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
135
krb5_copy_creds (krb5_context context,
136
		 const krb5_creds *incred,
137
		 krb5_creds **outcred)
138
{
139
    krb5_creds *c;
140

141
    c = malloc (sizeof (*c));
142
    if (c == NULL) {
143
	krb5_set_error_message (context, ENOMEM,
144
				N_("malloc: out of memory", ""));
145
	return ENOMEM;
146
    }
147
    memset (c, 0, sizeof(*c));
148
    *outcred = c;
149
    return krb5_copy_creds_contents (context, incred, c);
150
}
151

152
/**
153
 * Free krb5_creds.
154
 *
155
 * @param context Kerberos 5 context.
156
 * @param c krb5_creds to free.
157
 *
158
 * @return Returns 0 to indicate success. Otherwise an kerberos et
159
 * error code is returned, see krb5_get_error_message().
160
 *
161
 * @ingroup krb5
162
 */
163

164
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
165
krb5_free_creds (krb5_context context, krb5_creds *c)
166
{
167
    krb5_free_cred_contents (context, c);
168
    free (c);
169
    return 0;
170
}
171

172
/* XXX this do not belong here */
173
static krb5_boolean
174
krb5_times_equal(const krb5_times *a, const krb5_times *b)
175
{
176
    return a->starttime == b->starttime &&
177
	a->authtime == b->authtime &&
178
	a->endtime == b->endtime &&
179
	a->renew_till == b->renew_till;
180
}
181

182
/**
183
 * Return TRUE if `mcreds' and `creds' are equal (`whichfields'
184
 * determines what equal means).
185
 *
186
 *
187
 * The following flags, set in whichfields affects the comparison:
188
 * - KRB5_TC_MATCH_SRV_NAMEONLY Consider all realms equal when comparing the service principal.
189
 * - KRB5_TC_MATCH_KEYTYPE Compare enctypes.
190
 * - KRB5_TC_MATCH_FLAGS_EXACT Make sure that the ticket flags are identical.
191
 * - KRB5_TC_MATCH_FLAGS Make sure that all ticket flags set in mcreds are also present in creds .
192
 * - KRB5_TC_MATCH_TIMES_EXACT Compares the ticket times exactly.
193
 * - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds.
194
 * - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields.
195
 * - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication).
196
 * - KRB5_TC_MATCH_IS_SKEY Compares the existance of the second ticket.
197
 *
198
 * @param context Kerberos 5 context.
199
 * @param whichfields which fields to compare.
200
 * @param mcreds cred to compare with.
201
 * @param creds cred to compare with.
202
 *
203
 * @return return TRUE if mcred and creds are equal, FALSE if not.
204
 *
205
 * @ingroup krb5
206
 */
207

208
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
209
krb5_compare_creds(krb5_context context, krb5_flags whichfields,
210
		   const krb5_creds * mcreds, const krb5_creds * creds)
211
{
212
    krb5_boolean match = TRUE;
213

214
    if (match && mcreds->server) {
215
	if (whichfields & (KRB5_TC_DONT_MATCH_REALM | KRB5_TC_MATCH_SRV_NAMEONLY))
216
	    match = krb5_principal_compare_any_realm (context, mcreds->server,
217
						      creds->server);
218
	else
219
	    match = krb5_principal_compare (context, mcreds->server,
220
					    creds->server);
221
    }
222

223
    if (match && mcreds->client) {
224
	if(whichfields & KRB5_TC_DONT_MATCH_REALM)
225
	    match = krb5_principal_compare_any_realm (context, mcreds->client,
226
						      creds->client);
227
	else
228
	    match = krb5_principal_compare (context, mcreds->client,
229
					    creds->client);
230
    }
231

232
    if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE))
233
        match = mcreds->session.keytype == creds->session.keytype;
234

235
    if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT))
236
	match = mcreds->flags.i == creds->flags.i;
237

238
    if (match && (whichfields & KRB5_TC_MATCH_FLAGS))
239
	match = (creds->flags.i & mcreds->flags.i) == mcreds->flags.i;
240

241
    if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT))
242
	match = krb5_times_equal(&mcreds->times, &creds->times);
243

244
    if (match && (whichfields & KRB5_TC_MATCH_TIMES))
245
	/* compare only expiration times */
246
	match = (mcreds->times.renew_till <= creds->times.renew_till) &&
247
	    (mcreds->times.endtime <= creds->times.endtime);
248

249
    if (match && (whichfields & KRB5_TC_MATCH_AUTHDATA)) {
250
	unsigned int i;
251
	if(mcreds->authdata.len != creds->authdata.len)
252
	    match = FALSE;
253
	else
254
	    for(i = 0; match && i < mcreds->authdata.len; i++)
255
		match = (mcreds->authdata.val[i].ad_type ==
256
			 creds->authdata.val[i].ad_type) &&
257
		    (krb5_data_cmp(&mcreds->authdata.val[i].ad_data,
258
				   &creds->authdata.val[i].ad_data) == 0);
259
    }
260
    if (match && (whichfields & KRB5_TC_MATCH_2ND_TKT))
261
	match = (krb5_data_cmp(&mcreds->second_ticket, &creds->second_ticket) == 0);
262

263
    if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY))
264
	match = ((mcreds->second_ticket.length == 0) ==
265
		 (creds->second_ticket.length == 0));
266

267
    return match;
268
}
269

270
/**
271
 * Returns the ticket flags for the credentials in creds.
272
 * See also krb5_ticket_get_flags().
273
 *
274
 * @param creds credential to get ticket flags from
275
 *
276
 * @return ticket flags
277
 *
278
 * @ingroup krb5
279
 */
280

281
KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
282
krb5_creds_get_ticket_flags(krb5_creds *creds)
283
{
284
    return TicketFlags2int(creds->flags.b);
285
}
286

287