search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
use DES_set_key_unchecked().
[heimdal.git] / lib / krb5 / get_in_tkt.c
blob5e8953348493c986aada576dd720f768dac53518
1 /*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "krb5_locl.h"
35
36 RCSID("$Id$");
37
38 krb5_error_code KRB5_LIB_FUNCTION
39 krb5_init_etype (krb5_context context,
40 unsigned *len,
41 krb5_enctype **val,
42 const krb5_enctype *etypes)
43 {
44 unsigned int i;
45 krb5_error_code ret;
46 krb5_enctype *tmp = NULL;
47
48 ret = 0;
49 if (etypes == NULL) {
50 ret = krb5_get_default_in_tkt_etypes(context,
51 &tmp);
52 if (ret)
53 return ret;
54 etypes = tmp;
55 }
56
57 for (i = 0; etypes[i]; ++i)
58 ;
59 *len = i;
60 *val = malloc(i * sizeof(**val));
61 if (i != 0 && *val == NULL) {
62 ret = ENOMEM;
63 krb5_set_error_string(context, "malloc: out of memory");
64 goto cleanup;
65 }
66 memmove (*val,
67 etypes,
68 i * sizeof(*tmp));
69 cleanup:
70 if (tmp != NULL)
71 free (tmp);
72 return ret;
73 }
74
75 static krb5_error_code
76 check_server_referral(krb5_context context,
77 krb5_kdc_rep *rep,
78 unsigned flags,
79 krb5_const_principal requested,
80 krb5_const_principal returned,
81 const krb5_keyblock const * key)
82 {
83 krb5_error_code ret;
84 PA_ServerReferralData ref;
85 krb5_crypto session;
86 EncryptedData ed;
87 size_t len;
88 krb5_data data;
89 PA_DATA *pa;
90 int i = 0, cmp;
91
92 if (rep->kdc_rep.padata == NULL)
93 goto noreferral;
94
95 pa = krb5_find_padata(rep->kdc_rep.padata->val,
96 rep->kdc_rep.padata->len,
97 KRB5_PADATA_SERVER_REFERRAL, &i);
98 if (pa == NULL)
99 goto noreferral;
100
101 memset(&ed, 0, sizeof(ed));
102 memset(&ref, 0, sizeof(ref));
103
104 ret = decode_EncryptedData(pa->padata_value.data,
105 pa->padata_value.length,
106 &ed, &len);
107 if (ret)
108 return ret;
109 if (len != pa->padata_value.length) {
110 free_EncryptedData(&ed);
111 krb5_set_error_string(context, "Referral EncryptedData wrong");
112 return KRB5KRB_AP_ERR_MODIFIED;
113 }
114
115 ret = krb5_crypto_init(context, key, 0, &session);
116 if (ret) {
117 free_EncryptedData(&ed);
118 return ret;
119 }
120
121 ret = krb5_decrypt_EncryptedData(context, session,
122 KRB5_KU_PA_SERVER_REFERRAL,
123 &ed, &data);
124 free_EncryptedData(&ed);
125 krb5_crypto_destroy(context, session);
126 if (ret)
127 return ret;
128
129 ret = decode_PA_ServerReferralData(data.data, data.length, &ref, &len);
130 if (ret) {
131 krb5_data_free(&data);
132 return ret;
133 }
134 krb5_data_free(&data);
135
136 if (strcmp(requested->realm, returned->realm) != 0) {
137 free_PA_ServerReferralData(&ref);
138 krb5_set_error_string(context, "server ref realm mismatch");
139 return KRB5KRB_AP_ERR_MODIFIED;
140 }
141
142 if (returned->name.name_string.len == 2 &&
143 strcmp(returned->name.name_string.val[0], KRB5_TGS_NAME) == 0)
144 {
145 const char *realm = returned->name.name_string.val[1];
146
147 if (ref.referred_realm == NULL
148 || strcmp(*ref.referred_realm, realm) != 0)
149 {
150 free_PA_ServerReferralData(&ref);
151 krb5_set_error_string(context, "tgt returned with wrong ref");
152 return KRB5KRB_AP_ERR_MODIFIED;
153 }
154 } else if (krb5_principal_compare(context, returned, requested) == 0) {
155 free_PA_ServerReferralData(&ref);
156 krb5_set_error_string(context, "req princ no same as returned");
157 return KRB5KRB_AP_ERR_MODIFIED;
158 }
159
160 if (ref.requested_principal_name) {
161 cmp = _krb5_principal_compare_PrincipalName(context,
162 requested,
163 ref.requested_principal_name);
164 if (!cmp) {
165 free_PA_ServerReferralData(&ref);
166 krb5_set_error_string(context, "compare requested failed");
167 return KRB5KRB_AP_ERR_MODIFIED;
168 }
169 } else if (flags & EXTRACT_TICKET_AS_REQ) {
170 free_PA_ServerReferralData(&ref);
171 krb5_set_error_string(context, "Requested principal missing on AS-REQ");
172 return KRB5KRB_AP_ERR_MODIFIED;
173 }
174
175 free_PA_ServerReferralData(&ref);
176
177 return ret;
178 noreferral:
179 if (krb5_principal_compare(context, requested, returned) == FALSE) {
180 krb5_set_error_string(context, "Not same server principal returned "
181 "as requested");
182 return KRB5KRB_AP_ERR_MODIFIED;
183 }
184 return 0;
185 }
186
187
188 /*
189 * Verify referral data
190 */
191
192
193 static krb5_error_code
194 check_client_referral(krb5_context context,
195 krb5_kdc_rep *rep,
196 krb5_const_principal requested,
197 krb5_const_principal mapped,
198 krb5_keyblock const * key)
199 {
200 krb5_error_code ret;
201 PA_ClientCanonicalized canon;
202 krb5_crypto crypto;
203 krb5_data data;
204 PA_DATA *pa;
205 size_t len;
206 int i = 0;
207
208 if (rep->kdc_rep.padata == NULL)
209 goto noreferral;
210
211 pa = krb5_find_padata(rep->kdc_rep.padata->val,
212 rep->kdc_rep.padata->len,
213 KRB5_PADATA_CLIENT_CANONICALIZED, &i);
214 if (pa == NULL)
215 goto noreferral;
216
217 ret = decode_PA_ClientCanonicalized(pa->padata_value.data,
218 pa->padata_value.length,
219 &canon, &len);
220 if (ret) {
221 krb5_set_error_string(context, "Failed to decode "
222 "PA_ClientCanonicalized");
223 return ret;
224 }
225
226 ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
227 &canon.names, &len, ret);
228 if (ret) {
229 free_PA_ClientCanonicalized(&canon);
230 return ret;
231 }
232 if (data.length != len)
233 krb5_abortx(context, "internal asn.1 error");
234
235 ret = krb5_crypto_init(context, key, 0, &crypto);
236 if (ret) {
237 free(data.data);
238 free_PA_ClientCanonicalized(&canon);
239 return ret;
240 }
241
242 ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES,
243 data.data, data.length,
244 &canon.canon_checksum);
245 krb5_crypto_destroy(context, crypto);
246 free(data.data);
247 if (ret) {
248 krb5_set_error_string(context, "Failed to verify "
249 "client canonicalized data");
250 free_PA_ClientCanonicalized(&canon);
251 return ret;
252 }
253
254 if (!_krb5_principal_compare_PrincipalName(context,
255 requested,
256 &canon.names.requested_name))
257 {
258 free_PA_ClientCanonicalized(&canon);
259 krb5_set_error_string(context, "Requested name doesn't match"
260 " in client referral");
261 return KRB5_PRINC_NOMATCH;
262 }
263 if (!_krb5_principal_compare_PrincipalName(context,
264 mapped,
265 &canon.names.mapped_name))
266 {
267 free_PA_ClientCanonicalized(&canon);
268 krb5_set_error_string(context, "Mapped name doesn't match"
269 " in client referral");
270 return KRB5_PRINC_NOMATCH;
271 }
272
273 return 0;
274
275 noreferral:
276 if (krb5_principal_compare(context, requested, mapped) == FALSE) {
277 krb5_set_error_string(context, "Not same client principal returned "
278 "as requested");
279 return KRB5KRB_AP_ERR_MODIFIED;
280 }
281 return 0;
282 }
283
284
285
286 static krb5_error_code
287 decrypt_tkt (krb5_context context,
288 krb5_keyblock *key,
289 krb5_key_usage usage,
290 krb5_const_pointer decrypt_arg,
291 krb5_kdc_rep *dec_rep)
292 {
293 krb5_error_code ret;
294 krb5_data data;
295 size_t size;
296 krb5_crypto crypto;
297
298 ret = krb5_crypto_init(context, key, 0, &crypto);
299 if (ret)
300 return ret;
301
302 ret = krb5_decrypt_EncryptedData (context,
303 crypto,
304 usage,
305 &dec_rep->kdc_rep.enc_part,
306 &data);
307 krb5_crypto_destroy(context, crypto);
308
309 if (ret)
310 return ret;
311
312 ret = krb5_decode_EncASRepPart(context,
313 data.data,
314 data.length,
315 &dec_rep->enc_part,
316 &size);
317 if (ret)
318 ret = krb5_decode_EncTGSRepPart(context,
319 data.data,
320 data.length,
321 &dec_rep->enc_part,
322 &size);
323 krb5_data_free (&data);
324 if (ret)
325 return ret;
326 return 0;
327 }
328
329 int
330 _krb5_extract_ticket(krb5_context context,
331 krb5_kdc_rep *rep,
332 krb5_creds *creds,
333 krb5_keyblock *key,
334 krb5_const_pointer keyseed,
335 krb5_key_usage key_usage,
336 krb5_addresses *addrs,
337 unsigned nonce,
338 unsigned flags,
339 krb5_decrypt_proc decrypt_proc,
340 krb5_const_pointer decryptarg)
341 {
342 krb5_error_code ret;
343 krb5_principal tmp_principal;
344 size_t len;
345 time_t tmp_time;
346 krb5_timestamp sec_now;
347
348 /* decrypt */
349
350 if (decrypt_proc == NULL)
351 decrypt_proc = decrypt_tkt;
352
353 ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
354 if (ret)
355 goto out;
356
357 /* save session key */
358
359 creds->session.keyvalue.length = 0;
360 creds->session.keyvalue.data = NULL;
361 creds->session.keytype = rep->enc_part.key.keytype;
362 ret = krb5_data_copy (&creds->session.keyvalue,
363 rep->enc_part.key.keyvalue.data,
364 rep->enc_part.key.keyvalue.length);
365 if (ret) {
366 krb5_clear_error_string(context);
367 goto out;
368 }
369
370 /* compare client and save */
371 ret = _krb5_principalname2krb5_principal (context,
372 &tmp_principal,
373 rep->kdc_rep.cname,
374 rep->kdc_rep.crealm);
375 if (ret)
376 goto out;
377
378 /* check client referral and save principal */
379 /* anonymous here ? */
380 if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) {
381 ret = check_client_referral(context, rep,
382 creds->client,
383 tmp_principal,
384 &creds->session);
385 if (ret) {
386 krb5_free_principal (context, tmp_principal);
387 goto out;
388 }
389 }
390 krb5_free_principal (context, creds->client);
391 creds->client = tmp_principal;
392
393 /* check server referral and save principal */
394 ret = _krb5_principalname2krb5_principal (context,
395 &tmp_principal,
396 rep->kdc_rep.ticket.sname,
397 rep->kdc_rep.ticket.realm);
398 if (ret)
399 goto out;
400 if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
401 ret = check_server_referral(context,
402 rep,
403 flags,
404 creds->server,
405 tmp_principal,
406 &creds->session);
407 if (ret) {
408 krb5_free_principal (context, tmp_principal);
409 goto out;
410 }
411 }
412 krb5_free_principal(context, creds->server);
413 creds->server = tmp_principal;
414
415 /* verify names */
416 if(flags & EXTRACT_TICKET_MATCH_REALM){
417 const char *srealm = krb5_principal_get_realm(context, creds->server);
418 const char *crealm = krb5_principal_get_realm(context, creds->client);
419
420 if (strcmp(rep->enc_part.srealm, srealm) != 0 ||
421 strcmp(rep->enc_part.srealm, crealm) != 0)
422 {
423 ret = KRB5KRB_AP_ERR_MODIFIED;
424 krb5_clear_error_string(context);
425 goto out;
426 }
427 }
428
429 /* compare nonces */
430
431 if (nonce != rep->enc_part.nonce) {
432 ret = KRB5KRB_AP_ERR_MODIFIED;
433 krb5_set_error_string(context, "malloc: out of memory");
434 goto out;
435 }
436
437 /* set kdc-offset */
438
439 krb5_timeofday (context, &sec_now);
440 if (rep->enc_part.flags.initial
441 && context->kdc_sec_offset == 0
442 && krb5_config_get_bool (context, NULL,
443 "libdefaults",
444 "kdc_timesync",
445 NULL)) {
446 context->kdc_sec_offset = rep->enc_part.authtime - sec_now;
447 krb5_timeofday (context, &sec_now);
448 }
449
450 /* check all times */
451
452 if (rep->enc_part.starttime) {
453 tmp_time = *rep->enc_part.starttime;
454 } else
455 tmp_time = rep->enc_part.authtime;
456
457 if (creds->times.starttime == 0
458 && abs(tmp_time - sec_now) > context->max_skew) {
459 ret = KRB5KRB_AP_ERR_SKEW;
460 krb5_set_error_string (context,
461 "time skew (%d) larger than max (%d)",
462 abs(tmp_time - sec_now),
463 (int)context->max_skew);
464 goto out;
465 }
466
467 if (creds->times.starttime != 0
468 && tmp_time != creds->times.starttime) {
469 krb5_clear_error_string (context);
470 ret = KRB5KRB_AP_ERR_MODIFIED;
471 goto out;
472 }
473
474 creds->times.starttime = tmp_time;
475
476 if (rep->enc_part.renew_till) {
477 tmp_time = *rep->enc_part.renew_till;
478 } else
479 tmp_time = 0;
480
481 if (creds->times.renew_till != 0
482 && tmp_time > creds->times.renew_till) {
483 krb5_clear_error_string (context);
484 ret = KRB5KRB_AP_ERR_MODIFIED;
485 goto out;
486 }
487
488 creds->times.renew_till = tmp_time;
489
490 creds->times.authtime = rep->enc_part.authtime;
491
492 if (creds->times.endtime != 0
493 && rep->enc_part.endtime > creds->times.endtime) {
494 krb5_clear_error_string (context);
495 ret = KRB5KRB_AP_ERR_MODIFIED;
496 goto out;
497 }
498
499 creds->times.endtime = rep->enc_part.endtime;
500
501 if(rep->enc_part.caddr)
502 krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses);
503 else if(addrs)
504 krb5_copy_addresses (context, addrs, &creds->addresses);
505 else {
506 creds->addresses.len = 0;
507 creds->addresses.val = NULL;
508 }
509 creds->flags.b = rep->enc_part.flags;
510
511 creds->authdata.len = 0;
512 creds->authdata.val = NULL;
513
514 /* extract ticket */
515 ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
516 &rep->kdc_rep.ticket, &len, ret);
517 if(ret)
518 goto out;
519 if (creds->ticket.length != len)
520 krb5_abortx(context, "internal error in ASN.1 encoder");
521 creds->second_ticket.length = 0;
522 creds->second_ticket.data = NULL;
523
524
525 out:
526 memset (rep->enc_part.key.keyvalue.data, 0,
527 rep->enc_part.key.keyvalue.length);
528 return ret;
529 }
530
531
532 static krb5_error_code
533 make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
534 krb5_enctype etype, krb5_keyblock *key)
535 {
536 PA_ENC_TS_ENC p;
537 unsigned char *buf;
538 size_t buf_size;
539 size_t len;
540 EncryptedData encdata;
541 krb5_error_code ret;
542 int32_t usec;
543 int usec2;
544 krb5_crypto crypto;
545
546 krb5_us_timeofday (context, &p.patimestamp, &usec);
547 usec2 = usec;
548 p.pausec = &usec2;
549
550 ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
551 if (ret)
552 return ret;
553 if(buf_size != len)
554 krb5_abortx(context, "internal error in ASN.1 encoder");
555 ret = krb5_crypto_init(context, key, 0, &crypto);
556 if (ret) {
557 free(buf);
558 return ret;
559 }
560 ret = krb5_encrypt_EncryptedData(context,
561 crypto,
562 KRB5_KU_PA_ENC_TIMESTAMP,
563 buf,
564 len,
565 0,
566 &encdata);
567 free(buf);
568 krb5_crypto_destroy(context, crypto);
569 if (ret)
570 return ret;
571
572 ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
573 free_EncryptedData(&encdata);
574 if (ret)
575 return ret;
576 if(buf_size != len)
577 krb5_abortx(context, "internal error in ASN.1 encoder");
578 pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
579 pa->padata_value.length = len;
580 pa->padata_value.data = buf;
581 return 0;
582 }
583
584 static krb5_error_code
585 add_padata(krb5_context context,
586 METHOD_DATA *md,
587 krb5_principal client,
588 krb5_key_proc key_proc,
589 krb5_const_pointer keyseed,
590 krb5_enctype *enctypes,
591 unsigned netypes,
592 krb5_salt *salt)
593 {
594 krb5_error_code ret;
595 PA_DATA *pa2;
596 krb5_salt salt2;
597 krb5_enctype *ep;
598 int i;
599
600 if(salt == NULL) {
601 /* default to standard salt */
602 ret = krb5_get_pw_salt (context, client, &salt2);
603 salt = &salt2;
604 }
605 if (!enctypes) {
606 enctypes = context->etypes;
607 netypes = 0;
608 for (ep = enctypes; *ep != ETYPE_NULL; ep++)
609 netypes++;
610 }
611 pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val));
612 if (pa2 == NULL) {
613 krb5_set_error_string(context, "malloc: out of memory");
614 return ENOMEM;
615 }
616 md->val = pa2;
617
618 for (i = 0; i < netypes; ++i) {
619 krb5_keyblock *key;
620
621 ret = (*key_proc)(context, enctypes[i], *salt, keyseed, &key);
622 if (ret)
623 continue;
624 ret = make_pa_enc_timestamp (context, &md->val[md->len],
625 enctypes[i], key);
626 krb5_free_keyblock (context, key);
627 if (ret)
628 return ret;
629 ++md->len;
630 }
631 if(salt == &salt2)
632 krb5_free_salt(context, salt2);
633 return 0;
634 }
635
636 static krb5_error_code
637 init_as_req (krb5_context context,
638 KDCOptions opts,
639 krb5_creds *creds,
640 const krb5_addresses *addrs,
641 const krb5_enctype *etypes,
642 const krb5_preauthtype *ptypes,
643 const krb5_preauthdata *preauth,
644 krb5_key_proc key_proc,
645 krb5_const_pointer keyseed,
646 unsigned nonce,
647 AS_REQ *a)
648 {
649 krb5_error_code ret;
650 krb5_salt salt;
651
652 memset(a, 0, sizeof(*a));
653
654 a->pvno = 5;
655 a->msg_type = krb_as_req;
656 a->req_body.kdc_options = opts;
657 a->req_body.cname = malloc(sizeof(*a->req_body.cname));
658 if (a->req_body.cname == NULL) {
659 ret = ENOMEM;
660 krb5_set_error_string(context, "malloc: out of memory");
661 goto fail;
662 }
663 a->req_body.sname = malloc(sizeof(*a->req_body.sname));
664 if (a->req_body.sname == NULL) {
665 ret = ENOMEM;
666 krb5_set_error_string(context, "malloc: out of memory");
667 goto fail;
668 }
669 ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
670 if (ret)
671 goto fail;
672 ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
673 if (ret)
674 goto fail;
675 ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
676 if (ret)
677 goto fail;
678
679 if(creds->times.starttime) {
680 a->req_body.from = malloc(sizeof(*a->req_body.from));
681 if (a->req_body.from == NULL) {
682 ret = ENOMEM;
683 krb5_set_error_string(context, "malloc: out of memory");
684 goto fail;
685 }
686 *a->req_body.from = creds->times.starttime;
687 }
688 if(creds->times.endtime){
689 ALLOC(a->req_body.till, 1);
690 *a->req_body.till = creds->times.endtime;
691 }
692 if(creds->times.renew_till){
693 a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
694 if (a->req_body.rtime == NULL) {
695 ret = ENOMEM;
696 krb5_set_error_string(context, "malloc: out of memory");
697 goto fail;
698 }
699 *a->req_body.rtime = creds->times.renew_till;
700 }
701 a->req_body.nonce = nonce;
702 ret = krb5_init_etype (context,
703 &a->req_body.etype.len,
704 &a->req_body.etype.val,
705 etypes);
706 if (ret)
707 goto fail;
708
709 /*
710 * This means no addresses
711 */
712
713 if (addrs && addrs->len == 0) {
714 a->req_body.addresses = NULL;
715 } else {
716 a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
717 if (a->req_body.addresses == NULL) {
718 ret = ENOMEM;
719 krb5_set_error_string(context, "malloc: out of memory");
720 goto fail;
721 }
722
723 if (addrs)
724 ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
725 else {
726 ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
727 if(ret == 0 && a->req_body.addresses->len == 0) {
728 free(a->req_body.addresses);
729 a->req_body.addresses = NULL;
730 }
731 }
732 if (ret)
733 return ret;
734 }
735
736 a->req_body.enc_authorization_data = NULL;
737 a->req_body.additional_tickets = NULL;
738
739 if(preauth != NULL) {
740 int i;
741 ALLOC(a->padata, 1);
742 if(a->padata == NULL) {
743 ret = ENOMEM;
744 krb5_set_error_string(context, "malloc: out of memory");
745 goto fail;
746 }
747 a->padata->val = NULL;
748 a->padata->len = 0;
749 for(i = 0; i < preauth->len; i++) {
750 if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
751 int j;
752
753 for(j = 0; j < preauth->val[i].info.len; j++) {
754 krb5_salt *sp = &salt;
755 if(preauth->val[i].info.val[j].salttype)
756 salt.salttype = *preauth->val[i].info.val[j].salttype;
757 else
758 salt.salttype = KRB5_PW_SALT;
759 if(preauth->val[i].info.val[j].salt)
760 salt.saltvalue = *preauth->val[i].info.val[j].salt;
761 else
762 if(salt.salttype == KRB5_PW_SALT)
763 sp = NULL;
764 else
765 krb5_data_zero(&salt.saltvalue);
766 ret = add_padata(context, a->padata, creds->client,
767 key_proc, keyseed,
768 &preauth->val[i].info.val[j].etype, 1,
769 sp);
770 if (ret == 0)
771 break;
772 }
773 }
774 }
775 } else
776 /* not sure this is the way to use `ptypes' */
777 if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
778 a->padata = NULL;
779 else if (*ptypes == KRB5_PADATA_ENC_TIMESTAMP) {
780 ALLOC(a->padata, 1);
781 if (a->padata == NULL) {
782 ret = ENOMEM;
783 krb5_set_error_string(context, "malloc: out of memory");
784 goto fail;
785 }
786 a->padata->len = 0;
787 a->padata->val = NULL;
788
789 /* make a v5 salted pa-data */
790 add_padata(context, a->padata, creds->client,
791 key_proc, keyseed, a->req_body.etype.val,
792 a->req_body.etype.len, NULL);
793
794 /* make a v4 salted pa-data */
795 salt.salttype = KRB5_PW_SALT;
796 krb5_data_zero(&salt.saltvalue);
797 add_padata(context, a->padata, creds->client,
798 key_proc, keyseed, a->req_body.etype.val,
799 a->req_body.etype.len, &salt);
800 } else {
801 krb5_set_error_string (context, "pre-auth type %d not supported",
802 *ptypes);
803 ret = KRB5_PREAUTH_BAD_TYPE;
804 goto fail;
805 }
806 return 0;
807 fail:
808 free_AS_REQ(a);
809 return ret;
810 }
811
812 static int
813 set_ptypes(krb5_context context,
814 KRB_ERROR *error,
815 const krb5_preauthtype **ptypes,
816 krb5_preauthdata **preauth)
817 {
818 static krb5_preauthdata preauth2;
819 static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
820
821 if(error->e_data) {
822 METHOD_DATA md;
823 int i;
824 decode_METHOD_DATA(error->e_data->data,
825 error->e_data->length,
826 &md,
827 NULL);
828 for(i = 0; i < md.len; i++){
829 switch(md.val[i].padata_type){
830 case KRB5_PADATA_ENC_TIMESTAMP:
831 *ptypes = ptypes2;
832 break;
833 case KRB5_PADATA_ETYPE_INFO:
834 *preauth = &preauth2;
835 ALLOC_SEQ(*preauth, 1);
836 (*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP;
837 krb5_decode_ETYPE_INFO(context,
838 md.val[i].padata_value.data,
839 md.val[i].padata_value.length,
840 &(*preauth)->val[0].info,
841 NULL);
842 break;
843 default:
844 break;
845 }
846 }
847 free_METHOD_DATA(&md);
848 } else {
849 *ptypes = ptypes2;
850 }
851 return(1);
852 }
853
854 krb5_error_code KRB5_LIB_FUNCTION
855 krb5_get_in_cred(krb5_context context,
856 krb5_flags options,
857 const krb5_addresses *addrs,
858 const krb5_enctype *etypes,
859 const krb5_preauthtype *ptypes,
860 const krb5_preauthdata *preauth,
861 krb5_key_proc key_proc,
862 krb5_const_pointer keyseed,
863 krb5_decrypt_proc decrypt_proc,
864 krb5_const_pointer decryptarg,
865 krb5_creds *creds,
866 krb5_kdc_rep *ret_as_reply)
867 {
868 krb5_error_code ret;
869 AS_REQ a;
870 krb5_kdc_rep rep;
871 krb5_data req, resp;
872 size_t len;
873 krb5_salt salt;
874 krb5_keyblock *key;
875 size_t size;
876 KDCOptions opts;
877 PA_DATA *pa;
878 krb5_enctype etype;
879 krb5_preauthdata *my_preauth = NULL;
880 unsigned nonce;
881 int done;
882
883 opts = int2KDCOptions(options);
884
885 krb5_generate_random_block (&nonce, sizeof(nonce));
886 nonce &= 0xffffffff;
887
888 do {
889 done = 1;
890 ret = init_as_req (context,
891 opts,
892 creds,
893 addrs,
894 etypes,
895 ptypes,
896 preauth,
897 key_proc,
898 keyseed,
899 nonce,
900 &a);
901 if (my_preauth) {
902 free_ETYPE_INFO(&my_preauth->val[0].info);
903 free (my_preauth->val);
904 my_preauth = NULL;
905 }
906 if (ret)
907 return ret;
908
909 ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length, &a, &len, ret);
910 free_AS_REQ(&a);
911 if (ret)
912 return ret;
913 if(len != req.length)
914 krb5_abortx(context, "internal error in ASN.1 encoder");
915
916 ret = krb5_sendto_kdc (context, &req, &creds->client->realm, &resp);
917 krb5_data_free(&req);
918 if (ret)
919 return ret;
920
921 memset (&rep, 0, sizeof(rep));
922 ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size);
923 if(ret) {
924 /* let's try to parse it as a KRB-ERROR */
925 KRB_ERROR error;
926 int ret2;
927
928 ret2 = krb5_rd_error(context, &resp, &error);
929 if(ret2 && resp.data && ((char*)resp.data)[0] == 4)
930 ret = KRB5KRB_AP_ERR_V4_REPLY;
931 krb5_data_free(&resp);
932 if (ret2 == 0) {
933 ret = krb5_error_from_rd_error(context, &error, creds);
934 /* if no preauth was set and KDC requires it, give it
935 one more try */
936 if (!ptypes && !preauth
937 && ret == KRB5KDC_ERR_PREAUTH_REQUIRED
938 #if 0
939 || ret == KRB5KDC_ERR_BADOPTION
940 #endif
941 && set_ptypes(context, &error, &ptypes, &my_preauth)) {
942 done = 0;
943 preauth = my_preauth;
944 krb5_free_error_contents(context, &error);
945 krb5_clear_error_string(context);
946 continue;
947 }
948 if(ret_as_reply)
949 ret_as_reply->error = error;
950 else
951 free_KRB_ERROR (&error);
952 return ret;
953 }
954 return ret;
955 }
956 krb5_data_free(&resp);
957 } while(!done);
958
959 pa = NULL;
960 etype = rep.kdc_rep.enc_part.etype;
961 if(rep.kdc_rep.padata){
962 int i = 0;
963 pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len,
964 KRB5_PADATA_PW_SALT, &i);
965 if(pa == NULL) {
966 i = 0;
967 pa = krb5_find_padata(rep.kdc_rep.padata->val,
968 rep.kdc_rep.padata->len,
969 KRB5_PADATA_AFS3_SALT, &i);
970 }
971 }
972 if(pa) {
973 salt.salttype = pa->padata_type;
974 salt.saltvalue = pa->padata_value;
975
976 ret = (*key_proc)(context, etype, salt, keyseed, &key);
977 } else {
978 /* make a v5 salted pa-data */
979 ret = krb5_get_pw_salt (context, creds->client, &salt);
980
981 if (ret)
982 goto out;
983 ret = (*key_proc)(context, etype, salt, keyseed, &key);
984 krb5_free_salt(context, salt);
985 }
986 if (ret)
987 goto out;
988
989 {
990 unsigned flags = 0;
991 if (opts.request_anonymous)
992 flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
993
994 ret = _krb5_extract_ticket(context,
995 &rep,
996 creds,
997 key,
998 keyseed,
999 KRB5_KU_AS_REP_ENC_PART,
1000 NULL,
1001 nonce,
1002 flags,
1003 decrypt_proc,
1004 decryptarg);
1005 }
1006 memset (key->keyvalue.data, 0, key->keyvalue.length);
1007 krb5_free_keyblock_contents (context, key);
1008 free (key);
1009
1010 out:
1011 if (ret == 0 && ret_as_reply)
1012 *ret_as_reply = rep;
1013 else
1014 krb5_free_kdc_rep (context, &rep);
1015 return ret;
1016 }
1017
1018 krb5_error_code KRB5_LIB_FUNCTION
1019 krb5_get_in_tkt(krb5_context context,
1020 krb5_flags options,
1021 const krb5_addresses *addrs,
1022 const krb5_enctype *etypes,
1023 const krb5_preauthtype *ptypes,
1024 krb5_key_proc key_proc,
1025 krb5_const_pointer keyseed,
1026 krb5_decrypt_proc decrypt_proc,
1027 krb5_const_pointer decryptarg,
1028 krb5_creds *creds,
1029 krb5_ccache ccache,
1030 krb5_kdc_rep *ret_as_reply)
1031 {
1032 krb5_error_code ret;
1033
1034 ret = krb5_get_in_cred (context,
1035 options,
1036 addrs,
1037 etypes,
1038 ptypes,
1039 NULL,
1040 key_proc,
1041 keyseed,
1042 decrypt_proc,
1043 decryptarg,
1044 creds,
1045 ret_as_reply);
1046 if(ret)
1047 return ret;
1048 if (ccache)
1049 ret = krb5_cc_store_cred (context, ccache, creds);
1050 return ret;
1051 }
Heimdal