kdc/524.c

   1 /*
   2  * Copyright (c) 1997 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. All advertising materials mentioning features or use of this software
  18  *    must display the following acknowledgement:
  19  *      This product includes software developed by Kungliga Tekniska
  20  *      Högskolan and its contributors.
  21  *
  22  * 4. Neither the name of the Institute nor the names of its contributors
  23  *    may be used to endorse or promote products derived from this software
  24  *    without specific prior written permission.
  25  *
  26  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  27  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  28  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  29  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  30  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  31  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  32  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  33  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  34  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  35  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  36  * SUCH DAMAGE.
  37  */
  38
  39 #include "kdc_locl.h"
  40
  41 RCSID("$Id$");
  42
  43 #ifdef KRB4
  44
  45 krb5_error_code
  46 do_524(Ticket *t, krb5_data *reply, const char *from)
  47 {
  48     krb5_error_code ret;
  49     krb5_principal sprinc = NULL;
  50     hdb_entry *server;
  51     Key *skey;
  52     krb5_data et_data;
  53     EncTicketPart et;
  54     EncryptedData ticket;
  55     krb5_storage *sp;
  56     char *spn = NULL;
  57     unsigned char buf[MAX_KTXT_LEN + 4 * 4];
  58     size_t len;
  59
  60     principalname2krb5_principal(&sprinc, t->sname, t->realm);
  61     krb5_unparse_name(context, sprinc, &spn);
  62     server = db_fetch(sprinc);
  63     if(server == NULL){
  64         kdc_log(0, "Request to convert ticket from %s for unknown principal %s",
  65                 from, spn);
  66         goto out;
  67     }
  68     ret = hdb_etype2key(context, server, t->enc_part.etype, &skey);
  69     if(ret){
  70         kdc_log(0, "No suitable key found for server (%s) "
  71                 "when converting ticket from ", spn, from);
  72         goto out;
  73     }
  74     ret = krb5_decrypt (context,
  75                         t->enc_part.cipher.data,
  76                         t->enc_part.cipher.length,
  77                         t->enc_part.etype,
  78                         &skey->key,
  79                         &et_data);
  80     if(ret){
  81         kdc_log(0, "Failed to decrypt ticket from %s for %s", from, spn);
  82         goto out;
  83     }
  84     ret = decode_EncTicketPart(et_data.data, et_data.length, &et, &len);
  85     krb5_data_free(&et_data);
  86     if(ret){
  87         kdc_log(0, "Failed to decode ticket from %s for %s", from, spn);
  88         goto out;
  89     }
  90     {
  91         krb5_principal client;
  92         char *cpn;
  93         principalname2krb5_principal(&client, et.cname, et.crealm);
  94         krb5_unparse_name(context, client, &cpn);
  95         kdc_log(1, "524-REQ %s from %s for %s", cpn, from, spn);
  96         free(cpn);
  97         krb5_free_principal(context, client);
  98     }
  99
 100     if(et.endtime < kdc_time){
 101         kdc_log(0, "Ticket expired (%s)", spn);
 102         free_EncTicketPart(&et);
 103         ret = KRB5KRB_AP_ERR_TKT_EXPIRED;
 104         goto out;
 105     }
 106     if(et.flags.invalid){
 107         kdc_log(0, "Ticket not valid (%s)", spn);
 108         free_EncTicketPart(&et);
 109         ret = KRB5KRB_AP_ERR_TKT_NYV;
 110         goto out;
 111     }
 112
 113     ret  = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
 114                             &et, &t->sname, &len);
 115     free_EncTicketPart(&et);
 116     if(ret){
 117         kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
 118         goto out;
 119     }
 120     ret = hdb_etype2key(context, server, KEYTYPE_DES, &skey);
 121     if(ret){
 122         kdc_log(0, "No DES key for server (%s)", spn);
 123         goto out;
 124     }
 125     ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len,
 126                             skey->key.keyvalue.data, &ticket);
 127     if(ret){
 128         kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
 129         goto out;
 130     }
 131 out:
 132     /* make reply */
 133     memset(buf, 0, sizeof(buf));
 134     sp = krb5_storage_from_mem(buf, sizeof(buf));
 135     krb5_store_int32(sp, ret);
 136     if(ret == 0){
 137         krb5_store_int32(sp, server->kvno); /* is this right? */
 138         krb5_store_data(sp, ticket.cipher);
 139         /* Aargh! This is coded as a KTEXT_ST. */
 140         sp->seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
 141         krb5_store_int32(sp, 0); /* mbz */
 142         free_EncryptedData(&ticket);
 143     }
 144     ret = krb5_storage_to_data(sp, reply);
 145     krb5_storage_free(sp);
 146
 147     if(spn)
 148         free(spn);
 149     if(sprinc)
 150         krb5_free_principal(context, sprinc);
 151     hdb_free_entry(context, server);
 152     free(server);
 153     return ret;
 154 }
 155
 156 #endif