search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Quiet a warning in test_plugin.c
[heimdal.git] / lib / krb5 / ticket.c
blobc1c98edf492f4ba9d403d1959e778e5e2d361341
1 /*
2 * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "krb5_locl.h"
37
38 /**
39 * Free ticket and content
40 *
41 * @param context a Kerberos 5 context
42 * @param ticket ticket to free
43 *
44 * @return Returns 0 to indicate success. Otherwise an kerberos et
45 * error code is returned, see krb5_get_error_message().
46 *
47 * @ingroup krb5
48 */
49
50 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
51 krb5_free_ticket(krb5_context context,
52 krb5_ticket *ticket)
53 {
54 free_EncTicketPart(&ticket->ticket);
55 krb5_free_principal(context, ticket->client);
56 krb5_free_principal(context, ticket->server);
57 free(ticket);
58 return 0;
59 }
60
61 /**
62 * Copy ticket and content
63 *
64 * @param context a Kerberos 5 context
65 * @param from ticket to copy
66 * @param to new copy of ticket, free with krb5_free_ticket()
67 *
68 * @return Returns 0 to indicate success. Otherwise an kerberos et
69 * error code is returned, see krb5_get_error_message().
70 *
71 * @ingroup krb5
72 */
73
74 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
75 krb5_copy_ticket(krb5_context context,
76 const krb5_ticket *from,
77 krb5_ticket **to)
78 {
79 krb5_error_code ret;
80 krb5_ticket *tmp;
81
82 *to = NULL;
83 tmp = malloc(sizeof(*tmp));
84 if (tmp == NULL)
85 return krb5_enomem(context);
86 if((ret = copy_EncTicketPart(&from->ticket, &tmp->ticket))){
87 free(tmp);
88 return ret;
89 }
90 ret = krb5_copy_principal(context, from->client, &tmp->client);
91 if(ret){
92 free_EncTicketPart(&tmp->ticket);
93 free(tmp);
94 return ret;
95 }
96 ret = krb5_copy_principal(context, from->server, &tmp->server);
97 if(ret){
98 krb5_free_principal(context, tmp->client);
99 free_EncTicketPart(&tmp->ticket);
100 free(tmp);
101 return ret;
102 }
103 *to = tmp;
104 return 0;
105 }
106
107 /**
108 * Return client principal in ticket
109 *
110 * @param context a Kerberos 5 context
111 * @param ticket ticket to copy
112 * @param client client principal, free with krb5_free_principal()
113 *
114 * @return Returns 0 to indicate success. Otherwise an kerberos et
115 * error code is returned, see krb5_get_error_message().
116 *
117 * @ingroup krb5
118 */
119
120 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
121 krb5_ticket_get_client(krb5_context context,
122 const krb5_ticket *ticket,
123 krb5_principal *client)
124 {
125 return krb5_copy_principal(context, ticket->client, client);
126 }
127
128 /**
129 * Return server principal in ticket
130 *
131 * @param context a Kerberos 5 context
132 * @param ticket ticket to copy
133 * @param server server principal, free with krb5_free_principal()
134 *
135 * @return Returns 0 to indicate success. Otherwise an kerberos et
136 * error code is returned, see krb5_get_error_message().
137 *
138 * @ingroup krb5
139 */
140
141 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
142 krb5_ticket_get_server(krb5_context context,
143 const krb5_ticket *ticket,
144 krb5_principal *server)
145 {
146 return krb5_copy_principal(context, ticket->server, server);
147 }
148
149 /**
150 * Return end time of ticket
151 *
152 * @param context a Kerberos 5 context
153 * @param ticket ticket to copy
154 *
155 * @return end time of ticket
156 *
157 * @ingroup krb5
158 */
159
160 KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
161 krb5_ticket_get_endtime(krb5_context context,
162 const krb5_ticket *ticket)
163 {
164 return ticket->ticket.endtime;
165 }
166
167 /**
168 * Get the flags from the Kerberos ticket
169 *
170 * @param context Kerberos context
171 * @param ticket Kerberos ticket
172 *
173 * @return ticket flags
174 *
175 * @ingroup krb5_ticket
176 */
177 KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
178 krb5_ticket_get_flags(krb5_context context,
179 const krb5_ticket *ticket)
180 {
181 return TicketFlags2int(ticket->ticket.flags);
182 }
183
184 static int
185 find_type_in_ad(krb5_context context,
186 int type,
187 krb5_data *data,
188 krb5_boolean *found,
189 krb5_boolean failp,
190 krb5_keyblock *sessionkey,
191 const AuthorizationData *ad,
192 int level)
193 {
194 krb5_error_code ret = 0;
195 size_t i;
196
197 if (level > 9) {
198 ret = ENOENT; /* XXX */
199 krb5_set_error_message(context, ret,
200 N_("Authorization data nested deeper "
201 "then %d levels, stop searching", ""),
202 level);
203 goto out;
204 }
205
206 /*
207 * Only copy out the element the first time we get to it, we need
208 * to run over the whole authorization data fields to check if
209 * there are any container clases we need to care about.
210 */
211 for (i = 0; i < ad->len; i++) {
212 if (!*found && ad->val[i].ad_type == type) {
213 ret = der_copy_octet_string(&ad->val[i].ad_data, data);
214 if (ret) {
215 krb5_set_error_message(context, ret,
216 N_("malloc: out of memory", ""));
217 goto out;
218 }
219 *found = TRUE;
220 continue;
221 }
222 switch (ad->val[i].ad_type) {
223 case KRB5_AUTHDATA_IF_RELEVANT: {
224 AuthorizationData child;
225 ret = decode_AuthorizationData(ad->val[i].ad_data.data,
226 ad->val[i].ad_data.length,
227 &child,
228 NULL);
229 if (ret) {
230 krb5_set_error_message(context, ret,
231 N_("Failed to decode "
232 "IF_RELEVANT with %d", ""),
233 (int)ret);
234 goto out;
235 }
236 ret = find_type_in_ad(context, type, data, found, FALSE,
237 sessionkey, &child, level + 1);
238 free_AuthorizationData(&child);
239 if (ret)
240 goto out;
241 break;
242 }
243 #if 0 /* XXX test */
244 case KRB5_AUTHDATA_KDC_ISSUED: {
245 AD_KDCIssued child;
246
247 ret = decode_AD_KDCIssued(ad->val[i].ad_data.data,
248 ad->val[i].ad_data.length,
249 &child,
250 NULL);
251 if (ret) {
252 krb5_set_error_message(context, ret,
253 N_("Failed to decode "
254 "AD_KDCIssued with %d", ""),
255 ret);
256 goto out;
257 }
258 if (failp) {
259 krb5_boolean valid;
260 krb5_data buf;
261 size_t len;
262
263 ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length,
264 &child.elements, &len, ret);
265 if (ret) {
266 free_AD_KDCIssued(&child);
267 krb5_clear_error_message(context);
268 goto out;
269 }
270 if(buf.length != len)
271 krb5_abortx(context, "internal error in ASN.1 encoder");
272
273 ret = krb5_c_verify_checksum(context, sessionkey, 19, &buf,
274 &child.ad_checksum, &valid);
275 krb5_data_free(&buf);
276 if (ret) {
277 free_AD_KDCIssued(&child);
278 goto out;
279 }
280 if (!valid) {
281 krb5_clear_error_message(context);
282 ret = ENOENT;
283 free_AD_KDCIssued(&child);
284 goto out;
285 }
286 }
287 ret = find_type_in_ad(context, type, data, found, failp, sessionkey,
288 &child.elements, level + 1);
289 free_AD_KDCIssued(&child);
290 if (ret)
291 goto out;
292 break;
293 }
294 #endif
295 case KRB5_AUTHDATA_AND_OR:
296 if (!failp)
297 break;
298 ret = ENOENT; /* XXX */
299 krb5_set_error_message(context, ret,
300 N_("Authorization data contains "
301 "AND-OR element that is unknown to the "
302 "application", ""));
303 goto out;
304 default:
305 if (!failp)
306 break;
307 ret = ENOENT; /* XXX */
308 krb5_set_error_message(context, ret,
309 N_("Authorization data contains "
310 "unknown type (%d) ", ""),
311 ad->val[i].ad_type);
312 goto out;
313 }
314 }
315 out:
316 if (ret) {
317 if (*found) {
318 krb5_data_free(data);
319 *found = 0;
320 }
321 }
322 return ret;
323 }
324
325 /**
326 * Extract the authorization data type of type from the ticket. Store
327 * the field in data. This function is to use for kerberos
328 * applications.
329 *
330 * @param context a Kerberos 5 context
331 * @param ticket Kerberos ticket
332 * @param type type to fetch
333 * @param data returned data, free with krb5_data_free()
334 *
335 * @ingroup krb5
336 */
337
338 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
339 krb5_ticket_get_authorization_data_type(krb5_context context,
340 krb5_ticket *ticket,
341 int type,
342 krb5_data *data)
343 {
344 AuthorizationData *ad;
345 krb5_error_code ret;
346 krb5_boolean found = FALSE;
347
348 krb5_data_zero(data);
349
350 ad = ticket->ticket.authorization_data;
351 if (ticket->ticket.authorization_data == NULL) {
352 krb5_set_error_message(context, ENOENT,
353 N_("Ticket have not authorization data", ""));
354 return ENOENT; /* XXX */
355 }
356
357 ret = find_type_in_ad(context, type, data, &found, TRUE,
358 &ticket->ticket.key, ad, 0);
359 if (ret)
360 return ret;
361 if (!found) {
362 krb5_set_error_message(context, ENOENT,
363 N_("Ticket have not "
364 "authorization data of type %d", ""),
365 type);
366 return ENOENT; /* XXX */
367 }
368 return 0;
369 }
370
371 static krb5_error_code
372 check_server_referral(krb5_context context,
373 krb5_kdc_rep *rep,
374 unsigned flags,
375 krb5_const_principal requested,
376 krb5_const_principal returned,
377 krb5_keyblock * key)
378 {
379 krb5_error_code ret;
380 PA_ServerReferralData ref;
381 krb5_crypto session;
382 EncryptedData ed;
383 size_t len;
384 krb5_data data;
385 PA_DATA *pa;
386 int i = 0, cmp;
387
388 if (rep->kdc_rep.padata == NULL)
389 goto noreferral;
390
391 pa = krb5_find_padata(rep->kdc_rep.padata->val,
392 rep->kdc_rep.padata->len,
393 KRB5_PADATA_SERVER_REFERRAL, &i);
394 if (pa == NULL)
395 goto noreferral;
396
397 memset(&ed, 0, sizeof(ed));
398 memset(&ref, 0, sizeof(ref));
399
400 ret = decode_EncryptedData(pa->padata_value.data,
401 pa->padata_value.length,
402 &ed, &len);
403 if (ret)
404 return ret;
405 if (len != pa->padata_value.length) {
406 free_EncryptedData(&ed);
407 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
408 N_("Referral EncryptedData wrong for realm %s",
409 "realm"), requested->realm);
410 return KRB5KRB_AP_ERR_MODIFIED;
411 }
412
413 ret = krb5_crypto_init(context, key, 0, &session);
414 if (ret) {
415 free_EncryptedData(&ed);
416 return ret;
417 }
418
419 ret = krb5_decrypt_EncryptedData(context, session,
420 KRB5_KU_PA_SERVER_REFERRAL,
421 &ed, &data);
422 free_EncryptedData(&ed);
423 krb5_crypto_destroy(context, session);
424 if (ret)
425 return ret;
426
427 ret = decode_PA_ServerReferralData(data.data, data.length, &ref, &len);
428 if (ret) {
429 krb5_data_free(&data);
430 return ret;
431 }
432 krb5_data_free(&data);
433
434 if (strcmp(requested->realm, returned->realm) != 0) {
435 free_PA_ServerReferralData(&ref);
436 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
437 N_("server ref realm mismatch, "
438 "requested realm %s got back %s", ""),
439 requested->realm, returned->realm);
440 return KRB5KRB_AP_ERR_MODIFIED;
441 }
442
443 if (krb5_principal_is_krbtgt(context, returned)) {
444 const char *realm = returned->name.name_string.val[1];
445
446 if (ref.referred_realm == NULL
447 || strcmp(*ref.referred_realm, realm) != 0)
448 {
449 free_PA_ServerReferralData(&ref);
450 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
451 N_("tgt returned with wrong ref", ""));
452 return KRB5KRB_AP_ERR_MODIFIED;
453 }
454 } else if (krb5_principal_compare(context, returned, requested) == 0) {
455 free_PA_ServerReferralData(&ref);
456 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
457 N_("req princ no same as returned", ""));
458 return KRB5KRB_AP_ERR_MODIFIED;
459 }
460
461 if (ref.requested_principal_name) {
462 cmp = _krb5_principal_compare_PrincipalName(context,
463 requested,
464 ref.requested_principal_name);
465 if (!cmp) {
466 free_PA_ServerReferralData(&ref);
467 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
468 N_("referred principal not same "
469 "as requested", ""));
470 return KRB5KRB_AP_ERR_MODIFIED;
471 }
472 } else if (flags & EXTRACT_TICKET_AS_REQ) {
473 free_PA_ServerReferralData(&ref);
474 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
475 N_("Requested principal missing on AS-REQ", ""));
476 return KRB5KRB_AP_ERR_MODIFIED;
477 }
478
479 free_PA_ServerReferralData(&ref);
480
481 return ret;
482 noreferral:
483 /*
484 * Expect excact match or that we got a krbtgt
485 */
486 if (krb5_principal_compare(context, requested, returned) != TRUE &&
487 (krb5_realm_compare(context, requested, returned) != TRUE &&
488 krb5_principal_is_krbtgt(context, returned) != TRUE))
489 {
490 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
491 N_("Not same server principal returned "
492 "as requested", ""));
493 return KRB5KRB_AP_ERR_MODIFIED;
494 }
495 return 0;
496 }
497
498
499 /*
500 * Verify referral data
501 */
502
503
504 static krb5_error_code
505 check_client_referral(krb5_context context,
506 krb5_kdc_rep *rep,
507 krb5_const_principal requested,
508 krb5_const_principal mapped,
509 krb5_keyblock const * key)
510 {
511 krb5_error_code ret;
512 PA_ClientCanonicalized canon;
513 krb5_crypto crypto;
514 krb5_data data;
515 PA_DATA *pa;
516 size_t len;
517 int i = 0;
518
519 if (rep->kdc_rep.padata == NULL)
520 goto noreferral;
521
522 pa = krb5_find_padata(rep->kdc_rep.padata->val,
523 rep->kdc_rep.padata->len,
524 KRB5_PADATA_CLIENT_CANONICALIZED, &i);
525 if (pa == NULL)
526 goto noreferral;
527
528 ret = decode_PA_ClientCanonicalized(pa->padata_value.data,
529 pa->padata_value.length,
530 &canon, &len);
531 if (ret) {
532 krb5_set_error_message(context, ret,
533 N_("Failed to decode ClientCanonicalized "
534 "from realm %s", ""), requested->realm);
535 return ret;
536 }
537
538 ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
539 &canon.names, &len, ret);
540 if (ret) {
541 free_PA_ClientCanonicalized(&canon);
542 return ret;
543 }
544 if (data.length != len)
545 krb5_abortx(context, "internal asn.1 error");
546
547 ret = krb5_crypto_init(context, key, 0, &crypto);
548 if (ret) {
549 free(data.data);
550 free_PA_ClientCanonicalized(&canon);
551 return ret;
552 }
553
554 ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES,
555 data.data, data.length,
556 &canon.canon_checksum);
557 krb5_crypto_destroy(context, crypto);
558 free(data.data);
559 if (ret) {
560 krb5_set_error_message(context, ret,
561 N_("Failed to verify client canonicalized "
562 "data from realm %s", ""),
563 requested->realm);
564 free_PA_ClientCanonicalized(&canon);
565 return ret;
566 }
567
568 if (!_krb5_principal_compare_PrincipalName(context,
569 requested,
570 &canon.names.requested_name))
571 {
572 free_PA_ClientCanonicalized(&canon);
573 krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
574 N_("Requested name doesn't match"
575 " in client referral", ""));
576 return KRB5_PRINC_NOMATCH;
577 }
578 if (!_krb5_principal_compare_PrincipalName(context,
579 mapped,
580 &canon.names.mapped_name))
581 {
582 free_PA_ClientCanonicalized(&canon);
583 krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
584 N_("Mapped name doesn't match"
585 " in client referral", ""));
586 return KRB5_PRINC_NOMATCH;
587 }
588
589 return 0;
590
591 noreferral:
592 if (krb5_principal_compare(context, requested, mapped) == FALSE &&
593 !rep->enc_part.flags.enc_pa_rep)
594 {
595 krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
596 N_("Not same client principal returned "
597 "as requested", ""));
598 return KRB5KRB_AP_ERR_MODIFIED;
599 }
600 return 0;
601 }
602
603
604 static krb5_error_code KRB5_CALLCONV
605 decrypt_tkt (krb5_context context,
606 krb5_keyblock *key,
607 krb5_key_usage usage,
608 krb5_const_pointer decrypt_arg,
609 krb5_kdc_rep *dec_rep)
610 {
611 krb5_error_code ret;
612 krb5_data data;
613 size_t size;
614 krb5_crypto crypto;
615
616 ret = krb5_crypto_init(context, key, 0, &crypto);
617 if (ret)
618 return ret;
619
620 ret = krb5_decrypt_EncryptedData (context,
621 crypto,
622 usage,
623 &dec_rep->kdc_rep.enc_part,
624 &data);
625 krb5_crypto_destroy(context, crypto);
626
627 if (ret)
628 return ret;
629
630 ret = decode_EncASRepPart(data.data,
631 data.length,
632 &dec_rep->enc_part,
633 &size);
634 if (ret)
635 ret = decode_EncTGSRepPart(data.data,
636 data.length,
637 &dec_rep->enc_part,
638 &size);
639 krb5_data_free (&data);
640 if (ret) {
641 krb5_set_error_message(context, ret,
642 N_("Failed to decode encpart in ticket", ""));
643 return ret;
644 }
645 return 0;
646 }
647
648 int
649 _krb5_extract_ticket(krb5_context context,
650 krb5_kdc_rep *rep,
651 krb5_creds *creds,
652 krb5_keyblock *key,
653 krb5_const_pointer keyseed,
654 krb5_key_usage key_usage,
655 krb5_addresses *addrs,
656 unsigned nonce,
657 unsigned flags,
658 krb5_data *request,
659 krb5_decrypt_proc decrypt_proc,
660 krb5_const_pointer decryptarg)
661 {
662 krb5_error_code ret;
663 krb5_principal tmp_principal;
664 size_t len = 0;
665 time_t tmp_time;
666 krb5_timestamp sec_now;
667
668 /* decrypt */
669
670 if (decrypt_proc == NULL)
671 decrypt_proc = decrypt_tkt;
672
673 ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep);
674 if (ret)
675 goto out;
676
677 if (rep->enc_part.flags.enc_pa_rep && request) {
678 krb5_crypto crypto = NULL;
679 Checksum cksum;
680 PA_DATA *pa = NULL;
681 int idx = 0;
682
683 _krb5_debug(context, 5, "processing enc-ap-rep");
684
685 if (rep->enc_part.encrypted_pa_data == NULL ||
686 (pa = krb5_find_padata(rep->enc_part.encrypted_pa_data->val,
687 rep->enc_part.encrypted_pa_data->len,
688 KRB5_PADATA_REQ_ENC_PA_REP,
689 &idx)) == NULL)
690 {
691 _krb5_debug(context, 5, "KRB5_PADATA_REQ_ENC_PA_REP missing");
692 ret = KRB5KRB_AP_ERR_MODIFIED;
693 goto out;
694 }
695
696 ret = krb5_crypto_init(context, key, 0, &crypto);
697 if (ret)
698 goto out;
699
700 ret = decode_Checksum(pa->padata_value.data,
701 pa->padata_value.length,
702 &cksum, NULL);
703 if (ret) {
704 krb5_crypto_destroy(context, crypto);
705 goto out;
706 }
707
708 ret = krb5_verify_checksum(context, crypto,
709 KRB5_KU_AS_REQ,
710 request->data, request->length,
711 &cksum);
712 krb5_crypto_destroy(context, crypto);
713 free_Checksum(&cksum);
714 _krb5_debug(context, 5, "enc-ap-rep: %svalid", (ret == 0) ? "" : "in");
715 if (ret)
716 goto out;
717 }
718
719 /* save session key */
720
721 creds->session.keyvalue.length = 0;
722 creds->session.keyvalue.data = NULL;
723 creds->session.keytype = rep->enc_part.key.keytype;
724 ret = krb5_data_copy (&creds->session.keyvalue,
725 rep->enc_part.key.keyvalue.data,
726 rep->enc_part.key.keyvalue.length);
727 if (ret) {
728 krb5_clear_error_message(context);
729 goto out;
730 }
731
732 /* compare client and save */
733 ret = _krb5_principalname2krb5_principal(context,
734 &tmp_principal,
735 rep->kdc_rep.cname,
736 rep->kdc_rep.crealm);
737 if (ret)
738 goto out;
739
740 /* check client referral and save principal */
741 /* anonymous here ? */
742 if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) {
743 ret = check_client_referral(context, rep,
744 creds->client,
745 tmp_principal,
746 &creds->session);
747 if (ret) {
748 krb5_free_principal (context, tmp_principal);
749 goto out;
750 }
751 }
752 krb5_free_principal (context, creds->client);
753 creds->client = tmp_principal;
754
755 /* check server referral and save principal */
756 ret = _krb5_principalname2krb5_principal (context,
757 &tmp_principal,
758 rep->kdc_rep.ticket.sname,
759 rep->kdc_rep.ticket.realm);
760 if (ret)
761 goto out;
762 if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
763 ret = check_server_referral(context,
764 rep,
765 flags,
766 creds->server,
767 tmp_principal,
768 &creds->session);
769 if (ret) {
770 krb5_free_principal (context, tmp_principal);
771 goto out;
772 }
773 }
774 krb5_free_principal(context, creds->server);
775 creds->server = tmp_principal;
776
777 /* verify names */
778 if(flags & EXTRACT_TICKET_MATCH_REALM){
779 const char *srealm = krb5_principal_get_realm(context, creds->server);
780 const char *crealm = krb5_principal_get_realm(context, creds->client);
781
782 if (strcmp(rep->enc_part.srealm, srealm) != 0 ||
783 strcmp(rep->enc_part.srealm, crealm) != 0)
784 {
785 ret = KRB5KRB_AP_ERR_MODIFIED;
786 krb5_clear_error_message(context);
787 goto out;
788 }
789 }
790
791 /* compare nonces */
792
793 if (nonce != (unsigned)rep->enc_part.nonce) {
794 ret = KRB5KRB_AP_ERR_MODIFIED;
795 krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
796 goto out;
797 }
798
799 /* set kdc-offset */
800
801 krb5_timeofday (context, &sec_now);
802 if (rep->enc_part.flags.initial
803 && (flags & EXTRACT_TICKET_TIMESYNC)
804 && context->kdc_sec_offset == 0
805 && krb5_config_get_bool (context, NULL,
806 "libdefaults",
807 "kdc_timesync",
808 NULL)) {
809 context->kdc_sec_offset = rep->enc_part.authtime - sec_now;
810 krb5_timeofday (context, &sec_now);
811 }
812
813 /* check all times */
814
815 if (rep->enc_part.starttime) {
816 tmp_time = *rep->enc_part.starttime;
817 } else
818 tmp_time = rep->enc_part.authtime;
819
820 if (creds->times.starttime == 0
821 && abs(tmp_time - sec_now) > context->max_skew) {
822 ret = KRB5KRB_AP_ERR_SKEW;
823 krb5_set_error_message (context, ret,
824 N_("time skew (%d) larger than max (%d)", ""),
825 abs(tmp_time - sec_now),
826 (int)context->max_skew);
827 goto out;
828 }
829
830 if (creds->times.starttime != 0
831 && tmp_time != creds->times.starttime) {
832 krb5_clear_error_message (context);
833 ret = KRB5KRB_AP_ERR_MODIFIED;
834 goto out;
835 }
836
837 creds->times.starttime = tmp_time;
838
839 if (rep->enc_part.renew_till) {
840 tmp_time = *rep->enc_part.renew_till;
841 } else
842 tmp_time = 0;
843
844 if (creds->times.renew_till != 0
845 && tmp_time > creds->times.renew_till) {
846 krb5_clear_error_message (context);
847 ret = KRB5KRB_AP_ERR_MODIFIED;
848 goto out;
849 }
850
851 creds->times.renew_till = tmp_time;
852
853 creds->times.authtime = rep->enc_part.authtime;
854
855 if (creds->times.endtime != 0
856 && rep->enc_part.endtime > creds->times.endtime) {
857 krb5_clear_error_message (context);
858 ret = KRB5KRB_AP_ERR_MODIFIED;
859 goto out;
860 }
861
862 creds->times.endtime = rep->enc_part.endtime;
863
864 if(rep->enc_part.caddr)
865 krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses);
866 else if(addrs)
867 krb5_copy_addresses (context, addrs, &creds->addresses);
868 else {
869 creds->addresses.len = 0;
870 creds->addresses.val = NULL;
871 }
872 creds->flags.b = rep->enc_part.flags;
873
874 creds->authdata.len = 0;
875 creds->authdata.val = NULL;
876
877 /* extract ticket */
878 ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
879 &rep->kdc_rep.ticket, &len, ret);
880 if(ret)
881 goto out;
882 if (creds->ticket.length != len)
883 krb5_abortx(context, "internal error in ASN.1 encoder");
884 creds->second_ticket.length = 0;
885 creds->second_ticket.data = NULL;
886
887
888 out:
889 memset (rep->enc_part.key.keyvalue.data, 0,
890 rep->enc_part.key.keyvalue.length);
891 return ret;
892 }
Heimdal