search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
spelling
[heimdal.git] / kdc / 524.c
blobcb50263aaf840566f879f827c30a5b7be8656504
1 /*
2 * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kdc_locl.h"
35
36 #include <krb5-v4compat.h>
37
38 /*
39 * fetch the server from `t', returning the name in malloced memory in
40 * `spn' and the entry itself in `server'
41 */
42
43 static krb5_error_code
44 fetch_server (krb5_context context,
45 krb5_kdc_configuration *config,
46 const Ticket *t,
47 char **spn,
48 hdb_entry_ex **server,
49 const char *from)
50 {
51 krb5_error_code ret;
52 krb5_principal sprinc;
53
54 ret = _krb5_principalname2krb5_principal(context, &sprinc,
55 t->sname, t->realm);
56 if (ret) {
57 kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
58 krb5_get_err_text(context, ret));
59 return ret;
60 }
61 ret = krb5_unparse_name(context, sprinc, spn);
62 if (ret) {
63 krb5_free_principal(context, sprinc);
64 kdc_log(context, config, 0, "krb5_unparse_name: %s",
65 krb5_get_err_text(context, ret));
66 return ret;
67 }
68 ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER,
69 NULL, server);
70 krb5_free_principal(context, sprinc);
71 if (ret) {
72 kdc_log(context, config, 0,
73 "Request to convert ticket from %s for unknown principal %s: %s",
74 from, *spn, krb5_get_err_text(context, ret));
75 if (ret == HDB_ERR_NOENTRY)
76 ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
77 return ret;
78 }
79 return 0;
80 }
81
82 static krb5_error_code
83 log_524 (krb5_context context,
84 krb5_kdc_configuration *config,
85 const EncTicketPart *et,
86 const char *from,
87 const char *spn)
88 {
89 krb5_principal client;
90 char *cpn;
91 krb5_error_code ret;
92
93 ret = _krb5_principalname2krb5_principal(context, &client,
94 et->cname, et->crealm);
95 if (ret) {
96 kdc_log(context, config, 0, "_krb5_principalname2krb5_principal: %s",
97 krb5_get_err_text (context, ret));
98 return ret;
99 }
100 ret = krb5_unparse_name(context, client, &cpn);
101 if (ret) {
102 krb5_free_principal(context, client);
103 kdc_log(context, config, 0, "krb5_unparse_name: %s",
104 krb5_get_err_text (context, ret));
105 return ret;
106 }
107 kdc_log(context, config, 1, "524-REQ %s from %s for %s", cpn, from, spn);
108 free(cpn);
109 krb5_free_principal(context, client);
110 return 0;
111 }
112
113 static krb5_error_code
114 verify_flags (krb5_context context,
115 krb5_kdc_configuration *config,
116 const EncTicketPart *et,
117 const char *spn)
118 {
119 if(et->endtime < kdc_time){
120 kdc_log(context, config, 0, "Ticket expired (%s)", spn);
121 return KRB5KRB_AP_ERR_TKT_EXPIRED;
122 }
123 if(et->flags.invalid){
124 kdc_log(context, config, 0, "Ticket not valid (%s)", spn);
125 return KRB5KRB_AP_ERR_TKT_NYV;
126 }
127 return 0;
128 }
129
130 /*
131 * set the `et->caddr' to the most appropriate address to use, where
132 * `addr' is the address the request was received from.
133 */
134
135 static krb5_error_code
136 set_address (krb5_context context,
137 krb5_kdc_configuration *config,
138 EncTicketPart *et,
139 struct sockaddr *addr,
140 const char *from)
141 {
142 krb5_error_code ret;
143 krb5_address *v4_addr;
144
145 v4_addr = malloc (sizeof(*v4_addr));
146 if (v4_addr == NULL)
147 return ENOMEM;
148
149 ret = krb5_sockaddr2address(context, addr, v4_addr);
150 if(ret) {
151 free (v4_addr);
152 kdc_log(context, config, 0, "Failed to convert address (%s)", from);
153 return ret;
154 }
155
156 if (et->caddr && !krb5_address_search (context, v4_addr, et->caddr)) {
157 kdc_log(context, config, 0, "Incorrect network address (%s)", from);
158 krb5_free_address(context, v4_addr);
159 free (v4_addr);
160 return KRB5KRB_AP_ERR_BADADDR;
161 }
162 if(v4_addr->addr_type == KRB5_ADDRESS_INET) {
163 /* we need to collapse the addresses in the ticket to a
164 single address; best guess is to use the address the
165 connection came from */
166
167 if (et->caddr != NULL) {
168 free_HostAddresses(et->caddr);
169 } else {
170 et->caddr = malloc (sizeof (*et->caddr));
171 if (et->caddr == NULL) {
172 krb5_free_address(context, v4_addr);
173 free(v4_addr);
174 return ENOMEM;
175 }
176 }
177 et->caddr->val = v4_addr;
178 et->caddr->len = 1;
179 } else {
180 krb5_free_address(context, v4_addr);
181 free(v4_addr);
182 }
183 return 0;
184 }
185
186
187 static krb5_error_code
188 encrypt_v4_ticket(krb5_context context,
189 krb5_kdc_configuration *config,
190 void *buf,
191 size_t len,
192 krb5_keyblock *skey,
193 EncryptedData *reply)
194 {
195 krb5_crypto crypto;
196 krb5_error_code ret;
197 ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto);
198 if (ret) {
199 free(buf);
200 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
201 krb5_get_err_text(context, ret));
202 return ret;
203 }
204
205 ret = krb5_encrypt_EncryptedData(context,
206 crypto,
207 KRB5_KU_TICKET,
208 buf,
209 len,
210 0,
211 reply);
212 krb5_crypto_destroy(context, crypto);
213 if(ret) {
214 kdc_log(context, config, 0, "Failed to encrypt data: %s",
215 krb5_get_err_text(context, ret));
216 return ret;
217 }
218 return 0;
219 }
220
221 static krb5_error_code
222 encode_524_response(krb5_context context,
223 krb5_kdc_configuration *config,
224 const char *spn, const EncTicketPart et,
225 const Ticket *t, hdb_entry_ex *server,
226 EncryptedData *ticket, int *kvno)
227 {
228 krb5_error_code ret;
229 int use_2b;
230 size_t len;
231
232 use_2b = krb5_config_get_bool(context, NULL, "kdc", "use_2b", spn, NULL);
233 if(use_2b) {
234 ASN1_MALLOC_ENCODE(EncryptedData,
235 ticket->cipher.data, ticket->cipher.length,
236 &t->enc_part, &len, ret);
237
238 if (ret) {
239 kdc_log(context, config, 0,
240 "Failed to encode v4 (2b) ticket (%s)", spn);
241 return ret;
242 }
243
244 ticket->etype = 0;
245 ticket->kvno = NULL;
246 *kvno = 213; /* 2b's use this magic kvno */
247 } else {
248 unsigned char buf[MAX_KTXT_LEN + 4 * 4];
249 Key *skey;
250
251 if (!config->enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
252 kdc_log(context, config, 0, "524 cross-realm %s -> %s disabled", et.crealm,
253 t->realm);
254 return KRB5KDC_ERR_POLICY;
255 }
256
257 ret = _kdc_encode_v4_ticket(context, config,
258 buf + sizeof(buf) - 1, sizeof(buf),
259 &et, &t->sname, &len);
260 if(ret){
261 kdc_log(context, config, 0,
262 "Failed to encode v4 ticket (%s)", spn);
263 return ret;
264 }
265 ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
266 if(ret){
267 kdc_log(context, config, 0,
268 "no suitable DES key for server (%s)", spn);
269 return ret;
270 }
271 ret = encrypt_v4_ticket(context, config, buf + sizeof(buf) - len, len,
272 &skey->key, ticket);
273 if(ret){
274 kdc_log(context, config, 0,
275 "Failed to encrypt v4 ticket (%s)", spn);
276 return ret;
277 }
278 *kvno = server->entry.kvno;
279 }
280
281 return 0;
282 }
283
284 /*
285 * process a 5->4 request, based on `t', and received `from, addr',
286 * returning the reply in `reply'
287 */
288
289 krb5_error_code
290 _kdc_do_524(krb5_context context,
291 krb5_kdc_configuration *config,
292 const Ticket *t, krb5_data *reply,
293 const char *from, struct sockaddr *addr)
294 {
295 krb5_error_code ret = 0;
296 krb5_crypto crypto;
297 hdb_entry_ex *server = NULL;
298 Key *skey;
299 krb5_data et_data;
300 EncTicketPart et;
301 EncryptedData ticket;
302 krb5_storage *sp;
303 char *spn = NULL;
304 unsigned char buf[MAX_KTXT_LEN + 4 * 4];
305 int kvno = 0;
306
307 if(!config->enable_524) {
308 ret = KRB5KDC_ERR_POLICY;
309 kdc_log(context, config, 0,
310 "Rejected ticket conversion request from %s", from);
311 goto out;
312 }
313
314 ret = fetch_server (context, config, t, &spn, &server, from);
315 if (ret) {
316 goto out;
317 }
318
319 ret = hdb_enctype2key(context, &server->entry, t->enc_part.etype, &skey);
320 if(ret){
321 kdc_log(context, config, 0,
322 "No suitable key found for server (%s) from %s", spn, from);
323 goto out;
324 }
325 ret = krb5_crypto_init(context, &skey->key, 0, &crypto);
326 if (ret) {
327 kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
328 krb5_get_err_text(context, ret));
329 goto out;
330 }
331 ret = krb5_decrypt_EncryptedData (context,
332 crypto,
333 KRB5_KU_TICKET,
334 &t->enc_part,
335 &et_data);
336 krb5_crypto_destroy(context, crypto);
337 if(ret){
338 kdc_log(context, config, 0,
339 "Failed to decrypt ticket from %s for %s", from, spn);
340 goto out;
341 }
342 ret = decode_EncTicketPart(et_data.data, et_data.length, &et, NULL);
343 krb5_data_free(&et_data);
344 if(ret){
345 kdc_log(context, config, 0,
346 "Failed to decode ticket from %s for %s", from, spn);
347 goto out;
348 }
349
350 ret = log_524 (context, config, &et, from, spn);
351 if (ret) {
352 free_EncTicketPart(&et);
353 goto out;
354 }
355
356 ret = verify_flags (context, config, &et, spn);
357 if (ret) {
358 free_EncTicketPart(&et);
359 goto out;
360 }
361
362 ret = set_address (context, config, &et, addr, from);
363 if (ret) {
364 free_EncTicketPart(&et);
365 goto out;
366 }
367
368 ret = encode_524_response(context, config, spn, et, t,
369 server, &ticket, &kvno);
370 free_EncTicketPart(&et);
371
372 out:
373 /* make reply */
374 memset(buf, 0, sizeof(buf));
375 sp = krb5_storage_from_mem(buf, sizeof(buf));
376 if (sp) {
377 krb5_store_int32(sp, ret);
378 if(ret == 0){
379 krb5_store_int32(sp, kvno);
380 krb5_store_data(sp, ticket.cipher);
381 /* Aargh! This is coded as a KTEXT_ST. */
382 krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
383 krb5_store_int32(sp, 0); /* mbz */
384 free_EncryptedData(&ticket);
385 }
386 ret = krb5_storage_to_data(sp, reply);
387 reply->length = krb5_storage_seek(sp, 0, SEEK_CUR);
388 krb5_storage_free(sp);
389 } else
390 krb5_data_zero(reply);
391 if(spn)
392 free(spn);
393 if(server)
394 _kdc_free_ent (context, server);
395 return ret;
396 }
Heimdal