/src/samba/third_party/heimdal/lib/krb5/creds.c

Source
/*
 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
 * (Royal Institute of Technology, Stockholm, Sweden).
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the Institute nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include "krb5_locl.h"

/**
 * Free content of krb5_creds.
 *
 * @param context Kerberos 5 context.
 * @param c krb5_creds to free.
 *
 * @return Returns 0 to indicate success. Otherwise an kerberos et
 * error code is returned, see krb5_get_error_message().
 *
 * @ingroup krb5
 */

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_free_cred_contents (krb5_context context, krb5_creds *c)
{
    krb5_free_principal (context, c->client);
    c->client = NULL;
    krb5_free_principal (context, c->server);
    c->server = NULL;
    krb5_free_keyblock_contents (context, &c->session);
    krb5_data_free (&c->ticket);
    krb5_data_free (&c->second_ticket);
    free_AuthorizationData (&c->authdata);
    krb5_free_addresses (context, &c->addresses);
    memset(c, 0, sizeof(*c));
    return 0;
}

/**
 * Copy content of krb5_creds.
 *
 * @param context Kerberos 5 context.
 * @param incred source credential
 * @param c destination credential, free with krb5_free_cred_contents().
 *
 * @return Returns 0 to indicate success. Otherwise an kerberos et
 * error code is returned, see krb5_get_error_message().
 *
 * @ingroup krb5
 */

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_copy_creds_contents (krb5_context context,
        const krb5_creds *incred,
        krb5_creds *c)
{
    krb5_error_code ret;

    memset(c, 0, sizeof(*c));
    ret = krb5_copy_principal (context, incred->client, &c->client);
    if (ret)
  goto fail;
    ret = krb5_copy_principal (context, incred->server, &c->server);
    if (ret)
  goto fail;
    ret = krb5_copy_keyblock_contents (context, &incred->session, &c->session);
    if (ret)
  goto fail;
    c->times = incred->times;
    ret = krb5_data_copy (&c->ticket,
        incred->ticket.data,
        incred->ticket.length);
    if (ret)
  goto fail;
    ret = krb5_data_copy (&c->second_ticket,
        incred->second_ticket.data,
        incred->second_ticket.length);
    if (ret)
  goto fail;
    ret = copy_AuthorizationData(&incred->authdata, &c->authdata);
    if (ret)
  goto fail;
    ret = krb5_copy_addresses (context,
             &incred->addresses,
             &c->addresses);
    if (ret)
  goto fail;
    c->flags = incred->flags;
    return 0;

fail:
    krb5_free_cred_contents (context, c);
    return ret;
}

/**
 * Copy krb5_creds.
 *
 * @param context Kerberos 5 context.
 * @param incred source credential
 * @param outcred destination credential, free with krb5_free_creds().
 *
 * @return Returns 0 to indicate success. Otherwise an kerberos et
 * error code is returned, see krb5_get_error_message().
 *
 * @ingroup krb5
 */

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_copy_creds (krb5_context context,
     const krb5_creds *incred,
     krb5_creds **outcred)
{
    krb5_creds *c;

    c = calloc(1, sizeof(*c));
    if (c == NULL)
  return krb5_enomem(context);
    *outcred = c;
    return krb5_copy_creds_contents (context, incred, c);
}

/**
 * Free krb5_creds.
 *
 * @param context Kerberos 5 context.
 * @param c krb5_creds to free.
 *
 * @return Returns 0 to indicate success. Otherwise an kerberos et
 * error code is returned, see krb5_get_error_message().
 *
 * @ingroup krb5
 */

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_free_creds (krb5_context context, krb5_creds *c)
{
    if (c != NULL)
        krb5_free_cred_contents(context, c);
    free(c);
    return 0;
}

/* XXX this do not belong here */
static krb5_boolean
krb5_times_equal(const krb5_times *a, const krb5_times *b)
{
    return a->starttime == b->starttime &&
  a->authtime == b->authtime &&
  a->endtime == b->endtime &&
  a->renew_till == b->renew_till;
}

/**
 * Return TRUE if `mcreds' and `creds' are equal (`whichfields'
 * determines what equal means).
 *
 *
 * The following flags, set in whichfields affects the comparison:
 * - KRB5_TC_MATCH_SRV_NAMEONLY Consider all realms equal when comparing the service principal.
 * - KRB5_TC_MATCH_KEYTYPE Compare enctypes.
 * - KRB5_TC_MATCH_FLAGS_EXACT Make sure that the ticket flags are identical.
 * - KRB5_TC_MATCH_FLAGS Make sure that all ticket flags set in mcreds are also present in creds .
 * - KRB5_TC_MATCH_TIMES_EXACT Compares the ticket times exactly.
 * - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds.
 * - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields.
 * - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication).
 * - KRB5_TC_MATCH_IS_SKEY Compares the existence of the second ticket.
 *
 * @param context Kerberos 5 context.
 * @param whichfields which fields to compare.
 * @param mcreds cred to compare with.
 * @param creds cred to compare with.
 *
 * @return return TRUE if mcred and creds are equal, FALSE if not.
 *
 * @ingroup krb5
 */

KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_compare_creds(krb5_context context, krb5_flags whichfields,
       const krb5_creds * mcreds, const krb5_creds * creds)
{
    krb5_boolean match = TRUE;

    if (match && mcreds->server) {
  if (whichfields & (KRB5_TC_DONT_MATCH_REALM | KRB5_TC_MATCH_SRV_NAMEONLY))
      match = krb5_principal_compare_any_realm (context, mcreds->server,
                  creds->server);
  else
      match = krb5_principal_compare (context, mcreds->server,
              creds->server);
    }

    if (match && mcreds->client) {
  if(whichfields & KRB5_TC_DONT_MATCH_REALM)
      match = krb5_principal_compare_any_realm (context, mcreds->client,
                  creds->client);
  else
      match = krb5_principal_compare (context, mcreds->client,
              creds->client);
    }

    if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE))
        match = mcreds->session.keytype == creds->session.keytype;

    if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT))
  match = mcreds->flags.i == creds->flags.i;

    if (match && (whichfields & KRB5_TC_MATCH_FLAGS))
  match = (creds->flags.i & mcreds->flags.i) == mcreds->flags.i;

    if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT))
  match = krb5_times_equal(&mcreds->times, &creds->times);

    if (match && (whichfields & KRB5_TC_MATCH_TIMES))
  /* compare only expiration times */
  match = (mcreds->times.renew_till <= creds->times.renew_till) &&
      (mcreds->times.endtime <= creds->times.endtime);

    if (match && (whichfields & KRB5_TC_MATCH_AUTHDATA)) {
  unsigned int i;
  if(mcreds->authdata.len != creds->authdata.len)
      match = FALSE;
  else
      for(i = 0; match && i < mcreds->authdata.len; i++)
    match = (mcreds->authdata.val[i].ad_type ==
       creds->authdata.val[i].ad_type) &&
        (krb5_data_cmp(&mcreds->authdata.val[i].ad_data,
           &creds->authdata.val[i].ad_data) == 0);
    }
    if (match && (whichfields & KRB5_TC_MATCH_2ND_TKT))
  match = (krb5_data_cmp(&mcreds->second_ticket, &creds->second_ticket) == 0);

    if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY))
  match = ((mcreds->second_ticket.length == 0) ==
     (creds->second_ticket.length == 0));

    return match;
}

/**
 * Returns the ticket flags for the credentials in creds.
 * See also krb5_ticket_get_flags().
 *
 * @param creds credential to get ticket flags from
 *
 * @return ticket flags
 *
 * @ingroup krb5
 */

KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
krb5_creds_get_ticket_flags(krb5_creds *creds)
{
    return TicketFlags2int(creds->flags.b);
}

Coverage Report

Created: 2025-11-16 06:57

Line	Count	Source
1		/*
2		* Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3		* (Royal Institute of Technology, Stockholm, Sweden).
4		* All rights reserved.
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions
8		* are met:
9		*
10		* 1. Redistributions of source code must retain the above copyright
11		* notice, this list of conditions and the following disclaimer.
12		*
13		* 2. Redistributions in binary form must reproduce the above copyright
14		* notice, this list of conditions and the following disclaimer in the
15		* documentation and/or other materials provided with the distribution.
16		*
17		* 3. Neither the name of the Institute nor the names of its contributors
18		* may be used to endorse or promote products derived from this software
19		* without specific prior written permission.
20		*
21		* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22		* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23		* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24		* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25		* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26		* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27		* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28		* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29		* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30		* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31		* SUCH DAMAGE.
32		*/
33
34		#include "krb5_locl.h"
35
36		/**
37		* Free content of krb5_creds.
38		*
39		* @param context Kerberos 5 context.
40		* @param c krb5_creds to free.
41		*
42		* @return Returns 0 to indicate success. Otherwise an kerberos et
43		* error code is returned, see krb5_get_error_message().
44		*
45		* @ingroup krb5
46		*/
47
48		KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
49		krb5_free_cred_contents (krb5_context context, krb5_creds *c)
50	0	{
51	0	krb5_free_principal (context, c->client);
52	0	c->client = NULL;
53	0	krb5_free_principal (context, c->server);
54	0	c->server = NULL;
55	0	krb5_free_keyblock_contents (context, &c->session);
56	0	krb5_data_free (&c->ticket);
57	0	krb5_data_free (&c->second_ticket);
58	0	free_AuthorizationData (&c->authdata);
59	0	krb5_free_addresses (context, &c->addresses);
60	0	memset(c, 0, sizeof(*c));
61	0	return 0;
62	0	}
63
64		/**
65		* Copy content of krb5_creds.
66		*
67		* @param context Kerberos 5 context.
68		* @param incred source credential
69		* @param c destination credential, free with krb5_free_cred_contents().
70		*
71		* @return Returns 0 to indicate success. Otherwise an kerberos et
72		* error code is returned, see krb5_get_error_message().
73		*
74		* @ingroup krb5
75		*/
76
77		KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
78		krb5_copy_creds_contents (krb5_context context,
79		const krb5_creds *incred,
80		krb5_creds *c)
81	0	{
82	0	krb5_error_code ret;
83
84	0	memset(c, 0, sizeof(*c));
85	0	ret = krb5_copy_principal (context, incred->client, &c->client);
86	0	if (ret)
87	0	goto fail;
88	0	ret = krb5_copy_principal (context, incred->server, &c->server);
89	0	if (ret)
90	0	goto fail;
91	0	ret = krb5_copy_keyblock_contents (context, &incred->session, &c->session);
92	0	if (ret)
93	0	goto fail;
94	0	c->times = incred->times;
95	0	ret = krb5_data_copy (&c->ticket,
96	0	incred->ticket.data,
97	0	incred->ticket.length);
98	0	if (ret)
99	0	goto fail;
100	0	ret = krb5_data_copy (&c->second_ticket,
101	0	incred->second_ticket.data,
102	0	incred->second_ticket.length);
103	0	if (ret)
104	0	goto fail;
105	0	ret = copy_AuthorizationData(&incred->authdata, &c->authdata);
106	0	if (ret)
107	0	goto fail;
108	0	ret = krb5_copy_addresses (context,
109	0	&incred->addresses,
110	0	&c->addresses);
111	0	if (ret)
112	0	goto fail;
113	0	c->flags = incred->flags;
114	0	return 0;
115
116	0	fail:
117	0	krb5_free_cred_contents (context, c);
118	0	return ret;
119	0	}
120
121		/**
122		* Copy krb5_creds.
123		*
124		* @param context Kerberos 5 context.
125		* @param incred source credential
126		* @param outcred destination credential, free with krb5_free_creds().
127		*
128		* @return Returns 0 to indicate success. Otherwise an kerberos et
129		* error code is returned, see krb5_get_error_message().
130		*
131		* @ingroup krb5
132		*/
133
134		KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
135		krb5_copy_creds (krb5_context context,
136		const krb5_creds *incred,
137		krb5_creds **outcred)
138	0	{
139	0	krb5_creds *c;
140
141	0	c = calloc(1, sizeof(*c));
142	0	if (c == NULL)
143	0	return krb5_enomem(context);
144	0	*outcred = c;
145	0	return krb5_copy_creds_contents (context, incred, c);
146	0	}
147
148		/**
149		* Free krb5_creds.
150		*
151		* @param context Kerberos 5 context.
152		* @param c krb5_creds to free.
153		*
154		* @return Returns 0 to indicate success. Otherwise an kerberos et
155		* error code is returned, see krb5_get_error_message().
156		*
157		* @ingroup krb5
158		*/
159
160		KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
161		krb5_free_creds (krb5_context context, krb5_creds *c)
162	0	{
163	0	if (c != NULL)
164	0	krb5_free_cred_contents(context, c);
165	0	free(c);
166	0	return 0;
167	0	}
168
169		/* XXX this do not belong here */
170		static krb5_boolean
171		krb5_times_equal(const krb5_times a, const krb5_times b)
172	0	{
173	0	return a->starttime == b->starttime &&
174	0	a->authtime == b->authtime &&
175	0	a->endtime == b->endtime &&
176	0	a->renew_till == b->renew_till;
177	0	}
178
179		/**
180		* Return TRUE if `mcreds' and `creds' are equal (`whichfields'
181		* determines what equal means).
182		*
183		*
184		* The following flags, set in whichfields affects the comparison:
185		* - KRB5_TC_MATCH_SRV_NAMEONLY Consider all realms equal when comparing the service principal.
186		* - KRB5_TC_MATCH_KEYTYPE Compare enctypes.
187		* - KRB5_TC_MATCH_FLAGS_EXACT Make sure that the ticket flags are identical.
188		* - KRB5_TC_MATCH_FLAGS Make sure that all ticket flags set in mcreds are also present in creds .
189		* - KRB5_TC_MATCH_TIMES_EXACT Compares the ticket times exactly.
190		* - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds.
191		* - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields.
192		* - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication).
193		* - KRB5_TC_MATCH_IS_SKEY Compares the existence of the second ticket.
194		*
195		* @param context Kerberos 5 context.
196		* @param whichfields which fields to compare.
197		* @param mcreds cred to compare with.
198		* @param creds cred to compare with.
199		*
200		* @return return TRUE if mcred and creds are equal, FALSE if not.
201		*
202		* @ingroup krb5
203		*/
204
205		KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
206		krb5_compare_creds(krb5_context context, krb5_flags whichfields,
207		const krb5_creds * mcreds, const krb5_creds * creds)
208	0	{
209	0	krb5_boolean match = TRUE;
210
211	0	if (match && mcreds->server) {
212	0	if (whichfields & (KRB5_TC_DONT_MATCH_REALM \| KRB5_TC_MATCH_SRV_NAMEONLY))
213	0	match = krb5_principal_compare_any_realm (context, mcreds->server,
214	0	creds->server);
215	0	else
216	0	match = krb5_principal_compare (context, mcreds->server,
217	0	creds->server);
218	0	}
219
220	0	if (match && mcreds->client) {
221	0	if(whichfields & KRB5_TC_DONT_MATCH_REALM)
222	0	match = krb5_principal_compare_any_realm (context, mcreds->client,
223	0	creds->client);
224	0	else
225	0	match = krb5_principal_compare (context, mcreds->client,
226	0	creds->client);
227	0	}
228
229	0	if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE))
230	0	match = mcreds->session.keytype == creds->session.keytype;
231
232	0	if (match && (whichfields & KRB5_TC_MATCH_FLAGS_EXACT))
233	0	match = mcreds->flags.i == creds->flags.i;
234
235	0	if (match && (whichfields & KRB5_TC_MATCH_FLAGS))
236	0	match = (creds->flags.i & mcreds->flags.i) == mcreds->flags.i;
237
238	0	if (match && (whichfields & KRB5_TC_MATCH_TIMES_EXACT))
239	0	match = krb5_times_equal(&mcreds->times, &creds->times);
240
241	0	if (match && (whichfields & KRB5_TC_MATCH_TIMES))
242		/* compare only expiration times */
243	0	match = (mcreds->times.renew_till <= creds->times.renew_till) &&
244	0	(mcreds->times.endtime <= creds->times.endtime);
245
246	0	if (match && (whichfields & KRB5_TC_MATCH_AUTHDATA)) {
247	0	unsigned int i;
248	0	if(mcreds->authdata.len != creds->authdata.len)
249	0	match = FALSE;
250	0	else
251	0	for(i = 0; match && i < mcreds->authdata.len; i++)
252	0	match = (mcreds->authdata.val[i].ad_type ==
253	0	creds->authdata.val[i].ad_type) &&
254	0	(krb5_data_cmp(&mcreds->authdata.val[i].ad_data,
255	0	&creds->authdata.val[i].ad_data) == 0);
256	0	}
257	0	if (match && (whichfields & KRB5_TC_MATCH_2ND_TKT))
258	0	match = (krb5_data_cmp(&mcreds->second_ticket, &creds->second_ticket) == 0);
259
260	0	if (match && (whichfields & KRB5_TC_MATCH_IS_SKEY))
261	0	match = ((mcreds->second_ticket.length == 0) ==
262	0	(creds->second_ticket.length == 0));
263
264	0	return match;
265	0	}
266
267		/**
268		* Returns the ticket flags for the credentials in creds.
269		* See also krb5_ticket_get_flags().
270		*
271		* @param creds credential to get ticket flags from
272		*
273		* @return ticket flags
274		*
275		* @ingroup krb5
276		*/
277
278		KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
279		krb5_creds_get_ticket_flags(krb5_creds *creds)
280	0	{
281	0	return TicketFlags2int(creds->flags.b);
282	0	}