2 * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "krb5_locl.h"
38 krb5_error_code KRB5_LIB_FUNCTION
39 krb5_init_etype (krb5_context context
,
42 const krb5_enctype
*etypes
)
46 krb5_enctype
*tmp
= NULL
;
50 ret
= krb5_get_default_in_tkt_etypes(context
,
57 for (i
= 0; etypes
[i
]; ++i
)
60 *val
= malloc(i
* sizeof(**val
));
61 if (i
!= 0 && *val
== NULL
) {
63 krb5_set_error_string(context
, "malloc: out of memory");
76 static krb5_error_code
77 decrypt_tkt (krb5_context context
,
80 krb5_const_pointer decrypt_arg
,
81 krb5_kdc_rep
*dec_rep
)
88 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
92 ret
= krb5_decrypt_EncryptedData (context
,
95 &dec_rep
->kdc_rep
.enc_part
,
97 krb5_crypto_destroy(context
, crypto
);
102 ret
= krb5_decode_EncASRepPart(context
,
108 ret
= krb5_decode_EncTGSRepPart(context
,
113 krb5_data_free (&data
);
120 _krb5_extract_ticket(krb5_context context
,
124 krb5_const_pointer keyseed
,
125 krb5_key_usage key_usage
,
126 krb5_addresses
*addrs
,
129 krb5_decrypt_proc decrypt_proc
,
130 krb5_const_pointer decryptarg
)
133 krb5_principal tmp_principal
;
137 krb5_timestamp sec_now
;
139 ret
= _krb5_principalname2krb5_principal (context
,
142 rep
->kdc_rep
.crealm
);
148 if((flags
& EXTRACT_TICKET_ALLOW_CNAME_MISMATCH
) == 0){
149 tmp
= krb5_principal_compare (context
, tmp_principal
, creds
->client
);
151 krb5_free_principal (context
, tmp_principal
);
152 krb5_clear_error_string (context
);
153 ret
= KRB5KRB_AP_ERR_MODIFIED
;
158 krb5_free_principal (context
, creds
->client
);
159 creds
->client
= tmp_principal
;
162 ASN1_MALLOC_ENCODE(Ticket
, creds
->ticket
.data
, creds
->ticket
.length
,
163 &rep
->kdc_rep
.ticket
, &len
, ret
);
166 if (creds
->ticket
.length
!= len
)
167 krb5_abortx(context
, "internal error in ASN.1 encoder");
168 creds
->second_ticket
.length
= 0;
169 creds
->second_ticket
.data
= NULL
;
173 ret
= _krb5_principalname2krb5_principal (context
,
175 rep
->kdc_rep
.ticket
.sname
,
176 rep
->kdc_rep
.ticket
.realm
);
179 if(flags
& EXTRACT_TICKET_ALLOW_SERVER_MISMATCH
){
180 krb5_free_principal(context
, creds
->server
);
181 creds
->server
= tmp_principal
;
182 tmp_principal
= NULL
;
184 tmp
= krb5_principal_compare (context
, tmp_principal
,
186 krb5_free_principal (context
, tmp_principal
);
188 ret
= KRB5KRB_AP_ERR_MODIFIED
;
189 krb5_clear_error_string (context
);
196 if (decrypt_proc
== NULL
)
197 decrypt_proc
= decrypt_tkt
;
199 ret
= (*decrypt_proc
)(context
, key
, key_usage
, decryptarg
, rep
);
204 if(flags
& EXTRACT_TICKET_MATCH_REALM
){
205 const char *srealm
= krb5_principal_get_realm(context
, creds
->server
);
206 const char *crealm
= krb5_principal_get_realm(context
, creds
->client
);
208 if (strcmp(rep
->enc_part
.srealm
, srealm
) != 0 ||
209 strcmp(rep
->enc_part
.srealm
, crealm
) != 0)
211 ret
= KRB5KRB_AP_ERR_MODIFIED
;
212 krb5_clear_error_string(context
);
219 if (nonce
!= rep
->enc_part
.nonce
) {
220 ret
= KRB5KRB_AP_ERR_MODIFIED
;
221 krb5_set_error_string(context
, "malloc: out of memory");
227 krb5_timeofday (context
, &sec_now
);
228 if (rep
->enc_part
.flags
.initial
229 && context
->kdc_sec_offset
== 0
230 && krb5_config_get_bool (context
, NULL
,
234 context
->kdc_sec_offset
= rep
->enc_part
.authtime
- sec_now
;
235 krb5_timeofday (context
, &sec_now
);
238 /* check all times */
240 if (rep
->enc_part
.starttime
) {
241 tmp_time
= *rep
->enc_part
.starttime
;
243 tmp_time
= rep
->enc_part
.authtime
;
245 if (creds
->times
.starttime
== 0
246 && abs(tmp_time
- sec_now
) > context
->max_skew
) {
247 ret
= KRB5KRB_AP_ERR_SKEW
;
248 krb5_set_error_string (context
,
249 "time skew (%d) larger than max (%d)",
250 abs(tmp_time
- sec_now
),
251 (int)context
->max_skew
);
255 if (creds
->times
.starttime
!= 0
256 && tmp_time
!= creds
->times
.starttime
) {
257 krb5_clear_error_string (context
);
258 ret
= KRB5KRB_AP_ERR_MODIFIED
;
262 creds
->times
.starttime
= tmp_time
;
264 if (rep
->enc_part
.renew_till
) {
265 tmp_time
= *rep
->enc_part
.renew_till
;
269 if (creds
->times
.renew_till
!= 0
270 && tmp_time
> creds
->times
.renew_till
) {
271 krb5_clear_error_string (context
);
272 ret
= KRB5KRB_AP_ERR_MODIFIED
;
276 creds
->times
.renew_till
= tmp_time
;
278 creds
->times
.authtime
= rep
->enc_part
.authtime
;
280 if (creds
->times
.endtime
!= 0
281 && rep
->enc_part
.endtime
> creds
->times
.endtime
) {
282 krb5_clear_error_string (context
);
283 ret
= KRB5KRB_AP_ERR_MODIFIED
;
287 creds
->times
.endtime
= rep
->enc_part
.endtime
;
289 if(rep
->enc_part
.caddr
)
290 krb5_copy_addresses (context
, rep
->enc_part
.caddr
, &creds
->addresses
);
292 krb5_copy_addresses (context
, addrs
, &creds
->addresses
);
294 creds
->addresses
.len
= 0;
295 creds
->addresses
.val
= NULL
;
297 creds
->flags
.b
= rep
->enc_part
.flags
;
299 creds
->authdata
.len
= 0;
300 creds
->authdata
.val
= NULL
;
301 creds
->session
.keyvalue
.length
= 0;
302 creds
->session
.keyvalue
.data
= NULL
;
303 creds
->session
.keytype
= rep
->enc_part
.key
.keytype
;
304 ret
= krb5_data_copy (&creds
->session
.keyvalue
,
305 rep
->enc_part
.key
.keyvalue
.data
,
306 rep
->enc_part
.key
.keyvalue
.length
);
309 memset (rep
->enc_part
.key
.keyvalue
.data
, 0,
310 rep
->enc_part
.key
.keyvalue
.length
);
315 static krb5_error_code
316 make_pa_enc_timestamp(krb5_context context
, PA_DATA
*pa
,
317 krb5_enctype etype
, krb5_keyblock
*key
)
323 EncryptedData encdata
;
329 krb5_us_timeofday (context
, &p
.patimestamp
, &usec
);
333 ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC
, buf
, buf_size
, &p
, &len
, ret
);
337 krb5_abortx(context
, "internal error in ASN.1 encoder");
338 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
343 ret
= krb5_encrypt_EncryptedData(context
,
345 KRB5_KU_PA_ENC_TIMESTAMP
,
351 krb5_crypto_destroy(context
, crypto
);
355 ASN1_MALLOC_ENCODE(EncryptedData
, buf
, buf_size
, &encdata
, &len
, ret
);
356 free_EncryptedData(&encdata
);
360 krb5_abortx(context
, "internal error in ASN.1 encoder");
361 pa
->padata_type
= KRB5_PADATA_ENC_TIMESTAMP
;
362 pa
->padata_value
.length
= len
;
363 pa
->padata_value
.data
= buf
;
367 static krb5_error_code
368 add_padata(krb5_context context
,
370 krb5_principal client
,
371 krb5_key_proc key_proc
,
372 krb5_const_pointer keyseed
,
373 krb5_enctype
*enctypes
,
384 /* default to standard salt */
385 ret
= krb5_get_pw_salt (context
, client
, &salt2
);
389 enctypes
= context
->etypes
;
391 for (ep
= enctypes
; *ep
!= ETYPE_NULL
; ep
++)
394 pa2
= realloc (md
->val
, (md
->len
+ netypes
) * sizeof(*md
->val
));
396 krb5_set_error_string(context
, "malloc: out of memory");
401 for (i
= 0; i
< netypes
; ++i
) {
404 ret
= (*key_proc
)(context
, enctypes
[i
], *salt
, keyseed
, &key
);
407 ret
= make_pa_enc_timestamp (context
, &md
->val
[md
->len
],
409 krb5_free_keyblock (context
, key
);
415 krb5_free_salt(context
, salt2
);
419 static krb5_error_code
420 init_as_req (krb5_context context
,
423 const krb5_addresses
*addrs
,
424 const krb5_enctype
*etypes
,
425 const krb5_preauthtype
*ptypes
,
426 const krb5_preauthdata
*preauth
,
427 krb5_key_proc key_proc
,
428 krb5_const_pointer keyseed
,
435 memset(a
, 0, sizeof(*a
));
438 a
->msg_type
= krb_as_req
;
439 a
->req_body
.kdc_options
= opts
;
440 a
->req_body
.cname
= malloc(sizeof(*a
->req_body
.cname
));
441 if (a
->req_body
.cname
== NULL
) {
443 krb5_set_error_string(context
, "malloc: out of memory");
446 a
->req_body
.sname
= malloc(sizeof(*a
->req_body
.sname
));
447 if (a
->req_body
.sname
== NULL
) {
449 krb5_set_error_string(context
, "malloc: out of memory");
452 ret
= _krb5_principal2principalname (a
->req_body
.cname
, creds
->client
);
455 ret
= _krb5_principal2principalname (a
->req_body
.sname
, creds
->server
);
458 ret
= copy_Realm(&creds
->client
->realm
, &a
->req_body
.realm
);
462 if(creds
->times
.starttime
) {
463 a
->req_body
.from
= malloc(sizeof(*a
->req_body
.from
));
464 if (a
->req_body
.from
== NULL
) {
466 krb5_set_error_string(context
, "malloc: out of memory");
469 *a
->req_body
.from
= creds
->times
.starttime
;
471 if(creds
->times
.endtime
){
472 ALLOC(a
->req_body
.till
, 1);
473 *a
->req_body
.till
= creds
->times
.endtime
;
475 if(creds
->times
.renew_till
){
476 a
->req_body
.rtime
= malloc(sizeof(*a
->req_body
.rtime
));
477 if (a
->req_body
.rtime
== NULL
) {
479 krb5_set_error_string(context
, "malloc: out of memory");
482 *a
->req_body
.rtime
= creds
->times
.renew_till
;
484 a
->req_body
.nonce
= nonce
;
485 ret
= krb5_init_etype (context
,
486 &a
->req_body
.etype
.len
,
487 &a
->req_body
.etype
.val
,
493 * This means no addresses
496 if (addrs
&& addrs
->len
== 0) {
497 a
->req_body
.addresses
= NULL
;
499 a
->req_body
.addresses
= malloc(sizeof(*a
->req_body
.addresses
));
500 if (a
->req_body
.addresses
== NULL
) {
502 krb5_set_error_string(context
, "malloc: out of memory");
507 ret
= krb5_copy_addresses(context
, addrs
, a
->req_body
.addresses
);
509 ret
= krb5_get_all_client_addrs (context
, a
->req_body
.addresses
);
510 if(ret
== 0 && a
->req_body
.addresses
->len
== 0) {
511 free(a
->req_body
.addresses
);
512 a
->req_body
.addresses
= NULL
;
519 a
->req_body
.enc_authorization_data
= NULL
;
520 a
->req_body
.additional_tickets
= NULL
;
522 if(preauth
!= NULL
) {
525 if(a
->padata
== NULL
) {
527 krb5_set_error_string(context
, "malloc: out of memory");
530 a
->padata
->val
= NULL
;
532 for(i
= 0; i
< preauth
->len
; i
++) {
533 if(preauth
->val
[i
].type
== KRB5_PADATA_ENC_TIMESTAMP
){
536 for(j
= 0; j
< preauth
->val
[i
].info
.len
; j
++) {
537 krb5_salt
*sp
= &salt
;
538 if(preauth
->val
[i
].info
.val
[j
].salttype
)
539 salt
.salttype
= *preauth
->val
[i
].info
.val
[j
].salttype
;
541 salt
.salttype
= KRB5_PW_SALT
;
542 if(preauth
->val
[i
].info
.val
[j
].salt
)
543 salt
.saltvalue
= *preauth
->val
[i
].info
.val
[j
].salt
;
545 if(salt
.salttype
== KRB5_PW_SALT
)
548 krb5_data_zero(&salt
.saltvalue
);
549 ret
= add_padata(context
, a
->padata
, creds
->client
,
551 &preauth
->val
[i
].info
.val
[j
].etype
, 1,
559 /* not sure this is the way to use `ptypes' */
560 if (ptypes
== NULL
|| *ptypes
== KRB5_PADATA_NONE
)
562 else if (*ptypes
== KRB5_PADATA_ENC_TIMESTAMP
) {
564 if (a
->padata
== NULL
) {
566 krb5_set_error_string(context
, "malloc: out of memory");
570 a
->padata
->val
= NULL
;
572 /* make a v5 salted pa-data */
573 add_padata(context
, a
->padata
, creds
->client
,
574 key_proc
, keyseed
, a
->req_body
.etype
.val
,
575 a
->req_body
.etype
.len
, NULL
);
577 /* make a v4 salted pa-data */
578 salt
.salttype
= KRB5_PW_SALT
;
579 krb5_data_zero(&salt
.saltvalue
);
580 add_padata(context
, a
->padata
, creds
->client
,
581 key_proc
, keyseed
, a
->req_body
.etype
.val
,
582 a
->req_body
.etype
.len
, &salt
);
584 krb5_set_error_string (context
, "pre-auth type %d not supported",
586 ret
= KRB5_PREAUTH_BAD_TYPE
;
596 set_ptypes(krb5_context context
,
598 const krb5_preauthtype
**ptypes
,
599 krb5_preauthdata
**preauth
)
601 static krb5_preauthdata preauth2
;
602 static krb5_preauthtype ptypes2
[] = { KRB5_PADATA_ENC_TIMESTAMP
, KRB5_PADATA_NONE
};
607 decode_METHOD_DATA(error
->e_data
->data
,
608 error
->e_data
->length
,
611 for(i
= 0; i
< md
.len
; i
++){
612 switch(md
.val
[i
].padata_type
){
613 case KRB5_PADATA_ENC_TIMESTAMP
:
616 case KRB5_PADATA_ETYPE_INFO
:
617 *preauth
= &preauth2
;
618 ALLOC_SEQ(*preauth
, 1);
619 (*preauth
)->val
[0].type
= KRB5_PADATA_ENC_TIMESTAMP
;
620 krb5_decode_ETYPE_INFO(context
,
621 md
.val
[i
].padata_value
.data
,
622 md
.val
[i
].padata_value
.length
,
623 &(*preauth
)->val
[0].info
,
630 free_METHOD_DATA(&md
);
637 krb5_error_code KRB5_LIB_FUNCTION
638 krb5_get_in_cred(krb5_context context
,
640 const krb5_addresses
*addrs
,
641 const krb5_enctype
*etypes
,
642 const krb5_preauthtype
*ptypes
,
643 const krb5_preauthdata
*preauth
,
644 krb5_key_proc key_proc
,
645 krb5_const_pointer keyseed
,
646 krb5_decrypt_proc decrypt_proc
,
647 krb5_const_pointer decryptarg
,
649 krb5_kdc_rep
*ret_as_reply
)
662 krb5_preauthdata
*my_preauth
= NULL
;
666 opts
= int2KDCOptions(options
);
668 krb5_generate_random_block (&nonce
, sizeof(nonce
));
673 ret
= init_as_req (context
,
685 free_ETYPE_INFO(&my_preauth
->val
[0].info
);
686 free (my_preauth
->val
);
692 ASN1_MALLOC_ENCODE(AS_REQ
, req
.data
, req
.length
, &a
, &len
, ret
);
696 if(len
!= req
.length
)
697 krb5_abortx(context
, "internal error in ASN.1 encoder");
699 ret
= krb5_sendto_kdc (context
, &req
, &creds
->client
->realm
, &resp
);
700 krb5_data_free(&req
);
704 memset (&rep
, 0, sizeof(rep
));
705 ret
= decode_AS_REP(resp
.data
, resp
.length
, &rep
.kdc_rep
, &size
);
707 /* let's try to parse it as a KRB-ERROR */
711 ret2
= krb5_rd_error(context
, &resp
, &error
);
712 if(ret2
&& resp
.data
&& ((char*)resp
.data
)[0] == 4)
713 ret
= KRB5KRB_AP_ERR_V4_REPLY
;
714 krb5_data_free(&resp
);
716 ret
= krb5_error_from_rd_error(context
, &error
, creds
);
717 /* if no preauth was set and KDC requires it, give it
719 if (!ptypes
&& !preauth
720 && ret
== KRB5KDC_ERR_PREAUTH_REQUIRED
722 || ret
== KRB5KDC_ERR_BADOPTION
724 && set_ptypes(context
, &error
, &ptypes
, &my_preauth
)) {
726 preauth
= my_preauth
;
727 krb5_free_error_contents(context
, &error
);
728 krb5_clear_error_string(context
);
732 ret_as_reply
->error
= error
;
734 free_KRB_ERROR (&error
);
739 krb5_data_free(&resp
);
743 etype
= rep
.kdc_rep
.enc_part
.etype
;
744 if(rep
.kdc_rep
.padata
){
746 pa
= krb5_find_padata(rep
.kdc_rep
.padata
->val
, rep
.kdc_rep
.padata
->len
,
747 KRB5_PADATA_PW_SALT
, &i
);
750 pa
= krb5_find_padata(rep
.kdc_rep
.padata
->val
,
751 rep
.kdc_rep
.padata
->len
,
752 KRB5_PADATA_AFS3_SALT
, &i
);
756 salt
.salttype
= pa
->padata_type
;
757 salt
.saltvalue
= pa
->padata_value
;
759 ret
= (*key_proc
)(context
, etype
, salt
, keyseed
, &key
);
761 /* make a v5 salted pa-data */
762 ret
= krb5_get_pw_salt (context
, creds
->client
, &salt
);
766 ret
= (*key_proc
)(context
, etype
, salt
, keyseed
, &key
);
767 krb5_free_salt(context
, salt
);
774 if (opts
.request_anonymous
)
775 flags
|= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH
;
777 ret
= _krb5_extract_ticket(context
,
782 KRB5_KU_AS_REP_ENC_PART
,
789 memset (key
->keyvalue
.data
, 0, key
->keyvalue
.length
);
790 krb5_free_keyblock_contents (context
, key
);
794 if (ret
== 0 && ret_as_reply
)
797 krb5_free_kdc_rep (context
, &rep
);
801 krb5_error_code KRB5_LIB_FUNCTION
802 krb5_get_in_tkt(krb5_context context
,
804 const krb5_addresses
*addrs
,
805 const krb5_enctype
*etypes
,
806 const krb5_preauthtype
*ptypes
,
807 krb5_key_proc key_proc
,
808 krb5_const_pointer keyseed
,
809 krb5_decrypt_proc decrypt_proc
,
810 krb5_const_pointer decryptarg
,
813 krb5_kdc_rep
*ret_as_reply
)
817 ret
= krb5_get_in_cred (context
,
832 ret
= krb5_cc_store_cred (context
, ccache
, creds
);