2 * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include <krb5_locl.h>
38 static krb5_error_code
39 compare_addrs(krb5_context context
,
44 char a_str
[64], b_str
[64];
47 if(krb5_address_compare (context
, a
, b
))
50 krb5_print_address (a
, a_str
, sizeof(a_str
), &len
);
51 krb5_print_address (b
, b_str
, sizeof(b_str
), &len
);
52 krb5_set_error_string(context
, "%s: %s != %s", message
, b_str
, a_str
);
53 return KRB5KRB_AP_ERR_BADADDR
;
56 krb5_error_code KRB5_LIB_FUNCTION
57 krb5_rd_cred(krb5_context context
,
58 krb5_auth_context auth_context
,
60 krb5_creds
***ret_creds
,
61 krb5_replay_data
*outdata
)
66 EncKrbCredPart enc_krb_cred_part
;
67 krb5_data enc_krb_cred_part_data
;
71 memset(&enc_krb_cred_part
, 0, sizeof(enc_krb_cred_part
));
73 if ((auth_context
->flags
&
74 (KRB5_AUTH_CONTEXT_RET_TIME
| KRB5_AUTH_CONTEXT_RET_SEQUENCE
)) &&
76 return KRB5_RC_REQUIRED
; /* XXX better error, MIT returns this */
80 ret
= decode_KRB_CRED(in_data
->data
, in_data
->length
,
86 ret
= KRB5KRB_AP_ERR_BADVERSION
;
87 krb5_clear_error_string (context
);
91 if (cred
.msg_type
!= krb_cred
) {
92 ret
= KRB5KRB_AP_ERR_MSG_TYPE
;
93 krb5_clear_error_string (context
);
97 if (cred
.enc_part
.etype
== ETYPE_NULL
) {
98 /* DK: MIT GSS-API Compatibility */
99 enc_krb_cred_part_data
.length
= cred
.enc_part
.cipher
.length
;
100 enc_krb_cred_part_data
.data
= cred
.enc_part
.cipher
.data
;
102 /* Try both subkey and session key.
104 * RFC2140 claims we should use the session key, but Heimdal
105 * before 0.8 used the remote subkey if it was send in the
109 if (auth_context
->remote_subkey
) {
110 ret
= krb5_crypto_init(context
, auth_context
->remote_subkey
,
115 ret
= krb5_decrypt_EncryptedData(context
,
119 &enc_krb_cred_part_data
);
121 krb5_crypto_destroy(context
, crypto
);
125 * If there was not subkey, or we failed using subkey,
126 * retry using the session key
128 if (auth_context
->remote_subkey
== NULL
|| ret
== KRB5KRB_AP_ERR_BAD_INTEGRITY
)
131 ret
= krb5_crypto_init(context
, auth_context
->keyblock
,
137 ret
= krb5_decrypt_EncryptedData(context
,
141 &enc_krb_cred_part_data
);
143 krb5_crypto_destroy(context
, crypto
);
149 ret
= krb5_decode_EncKrbCredPart (context
,
150 enc_krb_cred_part_data
.data
,
151 enc_krb_cred_part_data
.length
,
157 /* check sender address */
159 if (enc_krb_cred_part
.s_address
160 && auth_context
->remote_address
161 && auth_context
->remote_port
) {
164 ret
= krb5_make_addrport (context
, &a
,
165 auth_context
->remote_address
,
166 auth_context
->remote_port
);
171 ret
= compare_addrs(context
, a
, enc_krb_cred_part
.s_address
,
172 "sender address is wrong in received creds");
173 krb5_free_address(context
, a
);
179 /* check receiver address */
181 if (enc_krb_cred_part
.r_address
182 && auth_context
->local_address
) {
183 if(auth_context
->local_port
&&
184 enc_krb_cred_part
.r_address
->addr_type
== KRB5_ADDRESS_ADDRPORT
) {
186 ret
= krb5_make_addrport (context
, &a
,
187 auth_context
->local_address
,
188 auth_context
->local_port
);
192 ret
= compare_addrs(context
, a
, enc_krb_cred_part
.r_address
,
193 "receiver address is wrong in received creds");
194 krb5_free_address(context
, a
);
199 ret
= compare_addrs(context
, auth_context
->local_address
,
200 enc_krb_cred_part
.r_address
,
201 "receiver address is wrong in received creds");
207 /* check timestamp */
208 if (auth_context
->flags
& KRB5_AUTH_CONTEXT_DO_TIME
) {
211 krb5_timeofday (context
, &sec
);
213 if (enc_krb_cred_part
.timestamp
== NULL
||
214 enc_krb_cred_part
.usec
== NULL
||
215 abs(*enc_krb_cred_part
.timestamp
- sec
)
216 > context
->max_skew
) {
217 krb5_clear_error_string (context
);
218 ret
= KRB5KRB_AP_ERR_SKEW
;
223 if ((auth_context
->flags
&
224 (KRB5_AUTH_CONTEXT_RET_TIME
| KRB5_AUTH_CONTEXT_RET_SEQUENCE
))) {
225 /* if these fields are not present in the cred-part, silently
227 memset(outdata
, 0, sizeof(*outdata
));
228 if(enc_krb_cred_part
.timestamp
)
229 outdata
->timestamp
= *enc_krb_cred_part
.timestamp
;
230 if(enc_krb_cred_part
.usec
)
231 outdata
->usec
= *enc_krb_cred_part
.usec
;
232 if(enc_krb_cred_part
.nonce
)
233 outdata
->seq
= *enc_krb_cred_part
.nonce
;
236 /* Convert to NULL terminated list of creds */
238 *ret_creds
= calloc(enc_krb_cred_part
.ticket_info
.len
+ 1,
239 sizeof(**ret_creds
));
241 if (*ret_creds
== NULL
) {
243 krb5_set_error_string (context
, "malloc: out of memory");
247 for (i
= 0; i
< enc_krb_cred_part
.ticket_info
.len
; ++i
) {
248 KrbCredInfo
*kci
= &enc_krb_cred_part
.ticket_info
.val
[i
];
252 creds
= calloc(1, sizeof(*creds
));
255 krb5_set_error_string (context
, "malloc: out of memory");
259 ASN1_MALLOC_ENCODE(Ticket
, creds
->ticket
.data
, creds
->ticket
.length
,
260 &cred
.tickets
.val
[i
], &len
, ret
);
263 if(creds
->ticket
.length
!= len
)
264 krb5_abortx(context
, "internal error in ASN.1 encoder");
265 copy_EncryptionKey (&kci
->key
, &creds
->session
);
266 if (kci
->prealm
&& kci
->pname
)
267 _krb5_principalname2krb5_principal (&creds
->client
,
271 creds
->flags
.b
= *kci
->flags
;
273 creds
->times
.authtime
= *kci
->authtime
;
275 creds
->times
.starttime
= *kci
->starttime
;
277 creds
->times
.endtime
= *kci
->endtime
;
279 creds
->times
.renew_till
= *kci
->renew_till
;
280 if (kci
->srealm
&& kci
->sname
)
281 _krb5_principalname2krb5_principal (&creds
->server
,
285 krb5_copy_addresses (context
,
289 (*ret_creds
)[i
] = creds
;
292 (*ret_creds
)[i
] = NULL
;
294 free_KRB_CRED (&cred
);
295 free_EncKrbCredPart(&enc_krb_cred_part
);
300 free_EncKrbCredPart(&enc_krb_cred_part
);
301 free_KRB_CRED (&cred
);
303 for(i
= 0; (*ret_creds
)[i
]; i
++)
304 krb5_free_creds(context
, (*ret_creds
)[i
]);
310 krb5_error_code KRB5_LIB_FUNCTION
311 krb5_rd_cred2 (krb5_context context
,
312 krb5_auth_context auth_context
,
320 ret
= krb5_rd_cred(context
, auth_context
, in_data
, &creds
, NULL
);
324 /* Store the creds in the ccache */
326 for(i
= 0; creds
&& creds
[i
]; i
++) {
327 krb5_cc_store_cred(context
, ccache
, creds
[i
]);
328 krb5_free_creds(context
, creds
[i
]);