2 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "krb5_locl.h"
39 * Free ticket and content
41 * @param context a Kerberos 5 context
42 * @param ticket ticket to free
44 * @return Returns 0 to indicate success. Otherwise an kerberos et
45 * error code is returned, see krb5_get_error_message().
50 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
51 krb5_free_ticket(krb5_context context
,
54 free_EncTicketPart(&ticket
->ticket
);
55 krb5_free_principal(context
, ticket
->client
);
56 krb5_free_principal(context
, ticket
->server
);
62 * Copy ticket and content
64 * @param context a Kerberos 5 context
65 * @param from ticket to copy
66 * @param to new copy of ticket, free with krb5_free_ticket()
68 * @return Returns 0 to indicate success. Otherwise an kerberos et
69 * error code is returned, see krb5_get_error_message().
74 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
75 krb5_copy_ticket(krb5_context context
,
76 const krb5_ticket
*from
,
83 tmp
= malloc(sizeof(*tmp
));
85 krb5_set_error_message(context
, ENOMEM
,
86 N_("malloc: out of memory", ""));
89 if((ret
= copy_EncTicketPart(&from
->ticket
, &tmp
->ticket
))){
93 ret
= krb5_copy_principal(context
, from
->client
, &tmp
->client
);
95 free_EncTicketPart(&tmp
->ticket
);
99 ret
= krb5_copy_principal(context
, from
->server
, &tmp
->server
);
101 krb5_free_principal(context
, tmp
->client
);
102 free_EncTicketPart(&tmp
->ticket
);
111 * Return client principal in ticket
113 * @param context a Kerberos 5 context
114 * @param ticket ticket to copy
115 * @param client client principal, free with krb5_free_principal()
117 * @return Returns 0 to indicate success. Otherwise an kerberos et
118 * error code is returned, see krb5_get_error_message().
123 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
124 krb5_ticket_get_client(krb5_context context
,
125 const krb5_ticket
*ticket
,
126 krb5_principal
*client
)
128 return krb5_copy_principal(context
, ticket
->client
, client
);
132 * Return server principal in ticket
134 * @param context a Kerberos 5 context
135 * @param ticket ticket to copy
136 * @param server server principal, free with krb5_free_principal()
138 * @return Returns 0 to indicate success. Otherwise an kerberos et
139 * error code is returned, see krb5_get_error_message().
144 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
145 krb5_ticket_get_server(krb5_context context
,
146 const krb5_ticket
*ticket
,
147 krb5_principal
*server
)
149 return krb5_copy_principal(context
, ticket
->server
, server
);
153 * Return end time of ticket
155 * @param context a Kerberos 5 context
156 * @param ticket ticket to copy
158 * @return end time of ticket
163 KRB5_LIB_FUNCTION
time_t KRB5_LIB_CALL
164 krb5_ticket_get_endtime(krb5_context context
,
165 const krb5_ticket
*ticket
)
167 return ticket
->ticket
.endtime
;
171 * Get the flags from the Kerberos ticket
173 * @param context Kerberos context
174 * @param ticket Kerberos ticket
176 * @return ticket flags
178 * @ingroup krb5_ticket
181 krb5_ticket_get_flags(krb5_context context
,
182 const krb5_ticket
*ticket
)
184 return TicketFlags2int(ticket
->ticket
.flags
);
188 find_type_in_ad(krb5_context context
,
193 krb5_keyblock
*sessionkey
,
194 const AuthorizationData
*ad
,
197 krb5_error_code ret
= 0;
201 ret
= ENOENT
; /* XXX */
202 krb5_set_error_message(context
, ret
,
203 N_("Authorization data nested deeper "
204 "then %d levels, stop searching", ""),
210 * Only copy out the element the first time we get to it, we need
211 * to run over the whole authorization data fields to check if
212 * there are any container clases we need to care about.
214 for (i
= 0; i
< ad
->len
; i
++) {
215 if (!*found
&& ad
->val
[i
].ad_type
== type
) {
216 ret
= der_copy_octet_string(&ad
->val
[i
].ad_data
, data
);
218 krb5_set_error_message(context
, ret
,
219 N_("malloc: out of memory", ""));
225 switch (ad
->val
[i
].ad_type
) {
226 case KRB5_AUTHDATA_IF_RELEVANT
: {
227 AuthorizationData child
;
228 ret
= decode_AuthorizationData(ad
->val
[i
].ad_data
.data
,
229 ad
->val
[i
].ad_data
.length
,
233 krb5_set_error_message(context
, ret
,
234 N_("Failed to decode "
235 "IF_RELEVANT with %d", ""),
239 ret
= find_type_in_ad(context
, type
, data
, found
, FALSE
,
240 sessionkey
, &child
, level
+ 1);
241 free_AuthorizationData(&child
);
247 case KRB5_AUTHDATA_KDC_ISSUED
: {
250 ret
= decode_AD_KDCIssued(ad
->val
[i
].ad_data
.data
,
251 ad
->val
[i
].ad_data
.length
,
255 krb5_set_error_message(context
, ret
,
256 N_("Failed to decode "
257 "AD_KDCIssued with %d", ""),
266 ASN1_MALLOC_ENCODE(AuthorizationData
, buf
.data
, buf
.length
,
267 &child
.elements
, &len
, ret
);
269 free_AD_KDCIssued(&child
);
270 krb5_clear_error_message(context
);
273 if(buf
.length
!= len
)
274 krb5_abortx(context
, "internal error in ASN.1 encoder");
276 ret
= krb5_c_verify_checksum(context
, sessionkey
, 19, &buf
,
277 &child
.ad_checksum
, &valid
);
278 krb5_data_free(&buf
);
280 free_AD_KDCIssued(&child
);
284 krb5_clear_error_message(context
);
286 free_AD_KDCIssued(&child
);
290 ret
= find_type_in_ad(context
, type
, data
, found
, failp
, sessionkey
,
291 &child
.elements
, level
+ 1);
292 free_AD_KDCIssued(&child
);
298 case KRB5_AUTHDATA_AND_OR
:
301 ret
= ENOENT
; /* XXX */
302 krb5_set_error_message(context
, ret
,
303 N_("Authorization data contains "
304 "AND-OR element that is unknown to the "
310 ret
= ENOENT
; /* XXX */
311 krb5_set_error_message(context
, ret
,
312 N_("Authorization data contains "
313 "unknown type (%d) ", ""),
321 krb5_data_free(data
);
329 * Extract the authorization data type of type from the ticket. Store
330 * the field in data. This function is to use for kerberos
333 * @param context a Kerberos 5 context
334 * @param ticket Kerberos ticket
335 * @param type type to fetch
336 * @param data returned data, free with krb5_data_free()
341 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
342 krb5_ticket_get_authorization_data_type(krb5_context context
,
347 AuthorizationData
*ad
;
349 krb5_boolean found
= FALSE
;
351 krb5_data_zero(data
);
353 ad
= ticket
->ticket
.authorization_data
;
354 if (ticket
->ticket
.authorization_data
== NULL
) {
355 krb5_set_error_message(context
, ENOENT
,
356 N_("Ticket have not authorization data", ""));
357 return ENOENT
; /* XXX */
360 ret
= find_type_in_ad(context
, type
, data
, &found
, TRUE
,
361 &ticket
->ticket
.key
, ad
, 0);
365 krb5_set_error_message(context
, ENOENT
,
366 N_("Ticket have not "
367 "authorization data of type %d", ""),
369 return ENOENT
; /* XXX */
374 static krb5_error_code
375 check_server_referral(krb5_context context
,
378 krb5_const_principal requested
,
379 krb5_const_principal returned
,
383 PA_ServerReferralData ref
;
391 if (rep
->kdc_rep
.padata
== NULL
)
394 pa
= krb5_find_padata(rep
->kdc_rep
.padata
->val
,
395 rep
->kdc_rep
.padata
->len
,
396 KRB5_PADATA_SERVER_REFERRAL
, &i
);
400 memset(&ed
, 0, sizeof(ed
));
401 memset(&ref
, 0, sizeof(ref
));
403 ret
= decode_EncryptedData(pa
->padata_value
.data
,
404 pa
->padata_value
.length
,
408 if (len
!= pa
->padata_value
.length
) {
409 free_EncryptedData(&ed
);
410 krb5_set_error_message(context
, KRB5KRB_AP_ERR_MODIFIED
,
411 N_("Referral EncryptedData wrong for realm %s",
412 "realm"), requested
->realm
);
413 return KRB5KRB_AP_ERR_MODIFIED
;
416 ret
= krb5_crypto_init(context
, key
, 0, &session
);
418 free_EncryptedData(&ed
);
422 ret
= krb5_decrypt_EncryptedData(context
, session
,
423 KRB5_KU_PA_SERVER_REFERRAL
,
425 free_EncryptedData(&ed
);
426 krb5_crypto_destroy(context
, session
);
430 ret
= decode_PA_ServerReferralData(data
.data
, data
.length
, &ref
, &len
);
432 krb5_data_free(&data
);
435 krb5_data_free(&data
);
437 if (strcmp(requested
->realm
, returned
->realm
) != 0) {
438 free_PA_ServerReferralData(&ref
);
439 krb5_set_error_message(context
, KRB5KRB_AP_ERR_MODIFIED
,
440 N_("server ref realm mismatch, "
441 "requested realm %s got back %s", ""),
442 requested
->realm
, returned
->realm
);
443 return KRB5KRB_AP_ERR_MODIFIED
;
446 if (krb5_principal_is_krbtgt(context
, returned
)) {
447 const char *realm
= returned
->name
.name_string
.val
[1];
449 if (ref
.referred_realm
== NULL
450 || strcmp(*ref
.referred_realm
, realm
) != 0)
452 free_PA_ServerReferralData(&ref
);
453 krb5_set_error_message(context
, KRB5KRB_AP_ERR_MODIFIED
,
454 N_("tgt returned with wrong ref", ""));
455 return KRB5KRB_AP_ERR_MODIFIED
;
457 } else if (krb5_principal_compare(context
, returned
, requested
) == 0) {
458 free_PA_ServerReferralData(&ref
);
459 krb5_set_error_message(context
, KRB5KRB_AP_ERR_MODIFIED
,
460 N_("req princ no same as returned", ""));
461 return KRB5KRB_AP_ERR_MODIFIED
;
464 if (ref
.requested_principal_name
) {
465 cmp
= _krb5_principal_compare_PrincipalName(context
,
467 ref
.requested_principal_name
);
469 free_PA_ServerReferralData(&ref
);
470 krb5_set_error_message(context
, KRB5KRB_AP_ERR_MODIFIED
,
471 N_("referred principal not same "
472 "as requested", ""));
473 return KRB5KRB_AP_ERR_MODIFIED
;
475 } else if (flags
& EXTRACT_TICKET_AS_REQ
) {
476 free_PA_ServerReferralData(&ref
);
477 krb5_set_error_message(context
, KRB5KRB_AP_ERR_MODIFIED
,
478 N_("Requested principal missing on AS-REQ", ""));
479 return KRB5KRB_AP_ERR_MODIFIED
;
482 free_PA_ServerReferralData(&ref
);
487 * Expect excact match or that we got a krbtgt
489 if (krb5_principal_compare(context
, requested
, returned
) != TRUE
&&
490 (krb5_realm_compare(context
, requested
, returned
) != TRUE
&&
491 krb5_principal_is_krbtgt(context
, returned
) != TRUE
))
493 krb5_set_error_message(context
, KRB5KRB_AP_ERR_MODIFIED
,
494 N_("Not same server principal returned "
495 "as requested", ""));
496 return KRB5KRB_AP_ERR_MODIFIED
;
503 * Verify referral data
507 static krb5_error_code
508 check_client_referral(krb5_context context
,
510 krb5_const_principal requested
,
511 krb5_const_principal mapped
,
512 krb5_keyblock
const * key
)
515 PA_ClientCanonicalized canon
;
522 if (rep
->kdc_rep
.padata
== NULL
)
525 pa
= krb5_find_padata(rep
->kdc_rep
.padata
->val
,
526 rep
->kdc_rep
.padata
->len
,
527 KRB5_PADATA_CLIENT_CANONICALIZED
, &i
);
531 ret
= decode_PA_ClientCanonicalized(pa
->padata_value
.data
,
532 pa
->padata_value
.length
,
535 krb5_set_error_message(context
, ret
,
536 N_("Failed to decode ClientCanonicalized "
537 "from realm %s", ""), requested
->realm
);
541 ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames
, data
.data
, data
.length
,
542 &canon
.names
, &len
, ret
);
544 free_PA_ClientCanonicalized(&canon
);
547 if (data
.length
!= len
)
548 krb5_abortx(context
, "internal asn.1 error");
550 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
553 free_PA_ClientCanonicalized(&canon
);
557 ret
= krb5_verify_checksum(context
, crypto
, KRB5_KU_CANONICALIZED_NAMES
,
558 data
.data
, data
.length
,
559 &canon
.canon_checksum
);
560 krb5_crypto_destroy(context
, crypto
);
563 krb5_set_error_message(context
, ret
,
564 N_("Failed to verify client canonicalized "
565 "data from realm %s", ""),
567 free_PA_ClientCanonicalized(&canon
);
571 if (!_krb5_principal_compare_PrincipalName(context
,
573 &canon
.names
.requested_name
))
575 free_PA_ClientCanonicalized(&canon
);
576 krb5_set_error_message(context
, KRB5_PRINC_NOMATCH
,
577 N_("Requested name doesn't match"
578 " in client referral", ""));
579 return KRB5_PRINC_NOMATCH
;
581 if (!_krb5_principal_compare_PrincipalName(context
,
583 &canon
.names
.mapped_name
))
585 free_PA_ClientCanonicalized(&canon
);
586 krb5_set_error_message(context
, KRB5_PRINC_NOMATCH
,
587 N_("Mapped name doesn't match"
588 " in client referral", ""));
589 return KRB5_PRINC_NOMATCH
;
595 if (krb5_principal_compare(context
, requested
, mapped
) == FALSE
) {
596 krb5_set_error_message(context
, KRB5KRB_AP_ERR_MODIFIED
,
597 N_("Not same client principal returned "
598 "as requested", ""));
599 return KRB5KRB_AP_ERR_MODIFIED
;
605 static krb5_error_code
606 decrypt_tkt (krb5_context context
,
608 krb5_key_usage usage
,
609 krb5_const_pointer decrypt_arg
,
610 krb5_kdc_rep
*dec_rep
)
617 ret
= krb5_crypto_init(context
, key
, 0, &crypto
);
621 ret
= krb5_decrypt_EncryptedData (context
,
624 &dec_rep
->kdc_rep
.enc_part
,
626 krb5_crypto_destroy(context
, crypto
);
631 ret
= decode_EncASRepPart(data
.data
,
636 ret
= decode_EncTGSRepPart(data
.data
,
640 krb5_data_free (&data
);
642 krb5_set_error_message(context
, ret
,
643 N_("Failed to decode encpart in ticket", ""));
650 _krb5_extract_ticket(krb5_context context
,
654 krb5_const_pointer keyseed
,
655 krb5_key_usage key_usage
,
656 krb5_addresses
*addrs
,
659 krb5_decrypt_proc decrypt_proc
,
660 krb5_const_pointer decryptarg
)
663 krb5_principal tmp_principal
;
666 krb5_timestamp sec_now
;
670 if (decrypt_proc
== NULL
)
671 decrypt_proc
= decrypt_tkt
;
673 ret
= (*decrypt_proc
)(context
, key
, key_usage
, decryptarg
, rep
);
677 /* save session key */
679 creds
->session
.keyvalue
.length
= 0;
680 creds
->session
.keyvalue
.data
= NULL
;
681 creds
->session
.keytype
= rep
->enc_part
.key
.keytype
;
682 ret
= krb5_data_copy (&creds
->session
.keyvalue
,
683 rep
->enc_part
.key
.keyvalue
.data
,
684 rep
->enc_part
.key
.keyvalue
.length
);
686 krb5_clear_error_message(context
);
692 * this is really a ugly hack, to support using the Netbios Domain Name
693 * as realm against windows KDC's, they always return the full realm
694 * based on the DNS Name.
696 flags
|= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH
;
697 flags
|= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH
;
699 /* compare client and save */
700 ret
= _krb5_principalname2krb5_principal (context
,
703 rep
->kdc_rep
.crealm
);
707 /* check client referral and save principal */
708 /* anonymous here ? */
709 if((flags
& EXTRACT_TICKET_ALLOW_CNAME_MISMATCH
) == 0) {
710 ret
= check_client_referral(context
, rep
,
715 krb5_free_principal (context
, tmp_principal
);
719 krb5_free_principal (context
, creds
->client
);
720 creds
->client
= tmp_principal
;
722 /* check server referral and save principal */
723 ret
= _krb5_principalname2krb5_principal (context
,
725 rep
->kdc_rep
.ticket
.sname
,
726 rep
->kdc_rep
.ticket
.realm
);
729 if((flags
& EXTRACT_TICKET_ALLOW_SERVER_MISMATCH
) == 0){
730 ret
= check_server_referral(context
,
737 krb5_free_principal (context
, tmp_principal
);
741 krb5_free_principal(context
, creds
->server
);
742 creds
->server
= tmp_principal
;
745 if(flags
& EXTRACT_TICKET_MATCH_REALM
){
746 const char *srealm
= krb5_principal_get_realm(context
, creds
->server
);
747 const char *crealm
= krb5_principal_get_realm(context
, creds
->client
);
749 if (strcmp(rep
->enc_part
.srealm
, srealm
) != 0 ||
750 strcmp(rep
->enc_part
.srealm
, crealm
) != 0)
752 ret
= KRB5KRB_AP_ERR_MODIFIED
;
753 krb5_clear_error_message(context
);
760 if (nonce
!= rep
->enc_part
.nonce
) {
761 ret
= KRB5KRB_AP_ERR_MODIFIED
;
762 krb5_set_error_message(context
, ret
, N_("malloc: out of memory", ""));
768 krb5_timeofday (context
, &sec_now
);
769 if (rep
->enc_part
.flags
.initial
770 && (flags
& EXTRACT_TICKET_TIMESYNC
)
771 && context
->kdc_sec_offset
== 0
772 && krb5_config_get_bool (context
, NULL
,
776 context
->kdc_sec_offset
= rep
->enc_part
.authtime
- sec_now
;
777 krb5_timeofday (context
, &sec_now
);
780 /* check all times */
782 if (rep
->enc_part
.starttime
) {
783 tmp_time
= *rep
->enc_part
.starttime
;
785 tmp_time
= rep
->enc_part
.authtime
;
787 if (creds
->times
.starttime
== 0
788 && abs(tmp_time
- sec_now
) > context
->max_skew
) {
789 ret
= KRB5KRB_AP_ERR_SKEW
;
790 krb5_set_error_message (context
, ret
,
791 N_("time skew (%d) larger than max (%d)", ""),
792 abs(tmp_time
- sec_now
),
793 (int)context
->max_skew
);
797 if (creds
->times
.starttime
!= 0
798 && tmp_time
!= creds
->times
.starttime
) {
799 krb5_clear_error_message (context
);
800 ret
= KRB5KRB_AP_ERR_MODIFIED
;
804 creds
->times
.starttime
= tmp_time
;
806 if (rep
->enc_part
.renew_till
) {
807 tmp_time
= *rep
->enc_part
.renew_till
;
811 if (creds
->times
.renew_till
!= 0
812 && tmp_time
> creds
->times
.renew_till
) {
813 krb5_clear_error_message (context
);
814 ret
= KRB5KRB_AP_ERR_MODIFIED
;
818 creds
->times
.renew_till
= tmp_time
;
820 creds
->times
.authtime
= rep
->enc_part
.authtime
;
822 if (creds
->times
.endtime
!= 0
823 && rep
->enc_part
.endtime
> creds
->times
.endtime
) {
824 krb5_clear_error_message (context
);
825 ret
= KRB5KRB_AP_ERR_MODIFIED
;
829 creds
->times
.endtime
= rep
->enc_part
.endtime
;
831 if(rep
->enc_part
.caddr
)
832 krb5_copy_addresses (context
, rep
->enc_part
.caddr
, &creds
->addresses
);
834 krb5_copy_addresses (context
, addrs
, &creds
->addresses
);
836 creds
->addresses
.len
= 0;
837 creds
->addresses
.val
= NULL
;
839 creds
->flags
.b
= rep
->enc_part
.flags
;
841 creds
->authdata
.len
= 0;
842 creds
->authdata
.val
= NULL
;
845 ASN1_MALLOC_ENCODE(Ticket
, creds
->ticket
.data
, creds
->ticket
.length
,
846 &rep
->kdc_rep
.ticket
, &len
, ret
);
849 if (creds
->ticket
.length
!= len
)
850 krb5_abortx(context
, "internal error in ASN.1 encoder");
851 creds
->second_ticket
.length
= 0;
852 creds
->second_ticket
.data
= NULL
;
856 memset (rep
->enc_part
.key
.keyvalue
.data
, 0,
857 rep
->enc_part
.key
.keyvalue
.length
);