Home | History | Annotate | Line # | Download | only in krb5 
      1 /*	$NetBSD: get_in_tkt.c,v 1.3 2019/12/15 22:50:50 christos Exp $	*/
      2 
      3 /*
      4  * Copyright (c) 1997 - 2008 Kungliga Tekniska Hgskolan
      5  * (Royal Institute of Technology, Stockholm, Sweden).
      6  * All rights reserved.
      7  *
      8  * Redistribution and use in source and binary forms, with or without
      9  * modification, are permitted provided that the following conditions
     10  * are met:
     11  *
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  *
     15  * 2. Redistributions in binary form must reproduce the above copyright
     16  *    notice, this list of conditions and the following disclaimer in the
     17  *    documentation and/or other materials provided with the distribution.
     18  *
     19  * 3. Neither the name of the Institute nor the names of its contributors
     20  *    may be used to endorse or promote products derived from this software
     21  *    without specific prior written permission.
     22  *
     23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
     24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
     27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     33  * SUCH DAMAGE.
     34  */
     35 
     36 #define KRB5_DEPRECATED_FUNCTION(x)
     37 
     38 #include "krb5_locl.h"
     39 
     40 #ifndef HEIMDAL_SMALLER
     41 
     42 static krb5_error_code
     43 make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
     44 		      krb5_enctype etype, krb5_keyblock *key)
     45 {
     46     PA_ENC_TS_ENC p;
     47     unsigned char *buf;
     48     size_t buf_size;
     49     size_t len = 0;
     50     EncryptedData encdata;
     51     krb5_error_code ret;
     52     int32_t usec;
     53     int usec2;
     54     krb5_crypto crypto;
     55 
     56     krb5_us_timeofday (context, &p.patimestamp, &usec);
     57     usec2         = usec;
     58     p.pausec      = &usec2;
     59 
     60     ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
     61     if (ret)
     62 	return ret;
     63     if(buf_size != len)
     64 	krb5_abortx(context, "internal error in ASN.1 encoder");
     65     ret = krb5_crypto_init(context, key, 0, &crypto);
     66     if (ret) {
     67 	free(buf);
     68 	return ret;
     69     }
     70     ret = krb5_encrypt_EncryptedData(context,
     71 				     crypto,
     72 				     KRB5_KU_PA_ENC_TIMESTAMP,
     73 				     buf,
     74 				     len,
     75 				     0,
     76 				     &encdata);
     77     free(buf);
     78     krb5_crypto_destroy(context, crypto);
     79     if (ret)
     80 	return ret;
     81 
     82     ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
     83     free_EncryptedData(&encdata);
     84     if (ret)
     85 	return ret;
     86     if(buf_size != len)
     87 	krb5_abortx(context, "internal error in ASN.1 encoder");
     88     pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
     89     pa->padata_value.length = len;
     90     pa->padata_value.data = buf;
     91     return 0;
     92 }
     93 
     94 static krb5_error_code
     95 add_padata(krb5_context context,
     96 	   METHOD_DATA *md,
     97 	   krb5_principal client,
     98 	   krb5_key_proc key_proc,
     99 	   krb5_const_pointer keyseed,
    100 	   krb5_enctype *enctypes,
    101 	   unsigned netypes,
    102 	   krb5_salt *salt)
    103 {
    104     krb5_error_code ret;
    105     PA_DATA *pa2;
    106     krb5_salt salt2;
    107     krb5_enctype *ep;
    108     size_t i;
    109 
    110     if(salt == NULL) {
    111 	/* default to standard salt */
    112 	ret = krb5_get_pw_salt (context, client, &salt2);
    113 	if (ret)
    114 	    return ret;
    115 	salt = &salt2;
    116     }
    117     if (!enctypes) {
    118 	enctypes = context->etypes;
    119 	netypes = 0;
    120 	for (ep = enctypes; *ep != (krb5_enctype)ETYPE_NULL; ep++)
    121 	    netypes++;
    122     }
    123     pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val));
    124     if (pa2 == NULL)
    125 	return krb5_enomem(context);
    126     md->val = pa2;
    127 
    128     for (i = 0; i < netypes; ++i) {
    129 	krb5_keyblock *key;
    130 
    131 	ret = (*key_proc)(context, enctypes[i], *salt, keyseed, &key);
    132 	if (ret)
    133 	    continue;
    134 	ret = make_pa_enc_timestamp (context, &md->val[md->len],
    135 				     enctypes[i], key);
    136 	krb5_free_keyblock (context, key);
    137 	if (ret)
    138 	    return ret;
    139 	++md->len;
    140     }
    141     if(salt == &salt2)
    142 	krb5_free_salt(context, salt2);
    143     return 0;
    144 }
    145 
    146 static krb5_error_code
    147 init_as_req (krb5_context context,
    148 	     KDCOptions opts,
    149 	     krb5_creds *creds,
    150 	     const krb5_addresses *addrs,
    151 	     const krb5_enctype *etypes,
    152 	     const krb5_preauthtype *ptypes,
    153 	     const krb5_preauthdata *preauth,
    154 	     krb5_key_proc key_proc,
    155 	     krb5_const_pointer keyseed,
    156 	     unsigned nonce,
    157 	     AS_REQ *a)
    158 {
    159     krb5_error_code ret;
    160     krb5_salt salt;
    161 
    162     memset(a, 0, sizeof(*a));
    163 
    164     a->pvno = 5;
    165     a->msg_type = krb_as_req;
    166     a->req_body.kdc_options = opts;
    167     a->req_body.cname = malloc(sizeof(*a->req_body.cname));
    168     if (a->req_body.cname == NULL) {
    169 	ret = krb5_enomem(context);
    170 	goto fail;
    171     }
    172     a->req_body.sname = malloc(sizeof(*a->req_body.sname));
    173     if (a->req_body.sname == NULL) {
    174 	ret = krb5_enomem(context);
    175 	goto fail;
    176     }
    177     ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
    178     if (ret)
    179 	goto fail;
    180     ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
    181     if (ret)
    182 	goto fail;
    183     ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
    184     if (ret)
    185 	goto fail;
    186 
    187     if(creds->times.starttime) {
    188 	a->req_body.from = malloc(sizeof(*a->req_body.from));
    189 	if (a->req_body.from == NULL) {
    190 	    ret = krb5_enomem(context);
    191 	    goto fail;
    192 	}
    193 	*a->req_body.from = creds->times.starttime;
    194     }
    195     if(creds->times.endtime){
    196 	ALLOC(a->req_body.till, 1);
    197 	*a->req_body.till = creds->times.endtime;
    198     }
    199     if(creds->times.renew_till){
    200 	a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
    201 	if (a->req_body.rtime == NULL) {
    202 	    ret = krb5_enomem(context);
    203 	    goto fail;
    204 	}
    205 	*a->req_body.rtime = creds->times.renew_till;
    206     }
    207     a->req_body.nonce = nonce;
    208     ret = _krb5_init_etype(context,
    209 			   KRB5_PDU_AS_REQUEST,
    210 			   &a->req_body.etype.len,
    211 			   &a->req_body.etype.val,
    212 			   etypes);
    213     if (ret)
    214 	goto fail;
    215 
    216     /*
    217      * This means no addresses
    218      */
    219 
    220     if (addrs && addrs->len == 0) {
    221 	a->req_body.addresses = NULL;
    222     } else {
    223 	a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
    224 	if (a->req_body.addresses == NULL) {
    225 	    ret = krb5_enomem(context);
    226 	    goto fail;
    227 	}
    228 
    229 	if (addrs)
    230 	    ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
    231 	else {
    232 	    ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
    233 	    if(ret == 0 && a->req_body.addresses->len == 0) {
    234 		free(a->req_body.addresses);
    235 		a->req_body.addresses = NULL;
    236 	    }
    237 	}
    238 	if (ret)
    239 	    return ret;
    240     }
    241 
    242     a->req_body.enc_authorization_data = NULL;
    243     a->req_body.additional_tickets = NULL;
    244 
    245     if(preauth != NULL) {
    246 	size_t i;
    247 	ALLOC(a->padata, 1);
    248 	if(a->padata == NULL) {
    249 	    ret = krb5_enomem(context);
    250 	    goto fail;
    251 	}
    252 	a->padata->val = NULL;
    253 	a->padata->len = 0;
    254 	for(i = 0; i < preauth->len; i++) {
    255 	    if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
    256 		size_t j;
    257 
    258 		for(j = 0; j < preauth->val[i].info.len; j++) {
    259 		    krb5_salt *sp = &salt;
    260 		    if(preauth->val[i].info.val[j].salttype)
    261 			salt.salttype = *preauth->val[i].info.val[j].salttype;
    262 		    else
    263 			salt.salttype = KRB5_PW_SALT;
    264 		    if(preauth->val[i].info.val[j].salt)
    265 			salt.saltvalue = *preauth->val[i].info.val[j].salt;
    266 		    else
    267 			if(salt.salttype == KRB5_PW_SALT)
    268 			    sp = NULL;
    269 			else
    270 			    krb5_data_zero(&salt.saltvalue);
    271 		    ret = add_padata(context, a->padata, creds->client,
    272 				     key_proc, keyseed,
    273 				     &preauth->val[i].info.val[j].etype, 1,
    274 				     sp);
    275 		    if (ret == 0)
    276 			break;
    277 		}
    278 	    }
    279 	}
    280     } else
    281     /* not sure this is the way to use `ptypes' */
    282     if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
    283 	a->padata = NULL;
    284     else if (*ptypes ==  KRB5_PADATA_ENC_TIMESTAMP) {
    285 	ALLOC(a->padata, 1);
    286 	if (a->padata == NULL) {
    287 	    ret = krb5_enomem(context);
    288 	    goto fail;
    289 	}
    290 	a->padata->len = 0;
    291 	a->padata->val = NULL;
    292 
    293 	/* make a v5 salted pa-data */
    294 	add_padata(context, a->padata, creds->client,
    295 		   key_proc, keyseed, a->req_body.etype.val,
    296 		   a->req_body.etype.len, NULL);
    297 
    298 	/* make a v4 salted pa-data */
    299 	salt.salttype = KRB5_PW_SALT;
    300 	krb5_data_zero(&salt.saltvalue);
    301 	add_padata(context, a->padata, creds->client,
    302 		   key_proc, keyseed, a->req_body.etype.val,
    303 		   a->req_body.etype.len, &salt);
    304     } else {
    305 	ret = KRB5_PREAUTH_BAD_TYPE;
    306 	krb5_set_error_message (context, ret,
    307 				N_("pre-auth type %d not supported", ""),
    308 			       *ptypes);
    309 	goto fail;
    310     }
    311     return 0;
    312 fail:
    313     free_AS_REQ(a);
    314     return ret;
    315 }
    316 
    317 static int
    318 set_ptypes(krb5_context context,
    319 	   KRB_ERROR *error,
    320 	   const krb5_preauthtype **ptypes,
    321 	   krb5_preauthdata **preauth)
    322 {
    323     static krb5_preauthdata preauth2;
    324     static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
    325 
    326     if(error->e_data) {
    327 	METHOD_DATA md;
    328 	size_t i;
    329 	decode_METHOD_DATA(error->e_data->data,
    330 			   error->e_data->length,
    331 			   &md,
    332 			   NULL);
    333 	for(i = 0; i < md.len; i++){
    334 	    switch(md.val[i].padata_type){
    335 	    case KRB5_PADATA_ENC_TIMESTAMP:
    336 		*ptypes = ptypes2;
    337 		break;
    338 	    case KRB5_PADATA_ETYPE_INFO:
    339 		*preauth = &preauth2;
    340 		ALLOC_SEQ(*preauth, 1);
    341 		(*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP;
    342 		decode_ETYPE_INFO(md.val[i].padata_value.data,
    343 				  md.val[i].padata_value.length,
    344 				  &(*preauth)->val[0].info,
    345 				  NULL);
    346 		break;
    347 	    default:
    348 		break;
    349 	    }
    350 	}
    351 	free_METHOD_DATA(&md);
    352     } else {
    353 	*ptypes = ptypes2;
    354     }
    355     return(1);
    356 }
    357 
    358 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
    359 krb5_get_in_cred(krb5_context context,
    360 		 krb5_flags options,
    361 		 const krb5_addresses *addrs,
    362 		 const krb5_enctype *etypes,
    363 		 const krb5_preauthtype *ptypes,
    364 		 const krb5_preauthdata *preauth,
    365 		 krb5_key_proc key_proc,
    366 		 krb5_const_pointer keyseed,
    367 		 krb5_decrypt_proc decrypt_proc,
    368 		 krb5_const_pointer decryptarg,
    369 		 krb5_creds *creds,
    370 		 krb5_kdc_rep *ret_as_reply)
    371     KRB5_DEPRECATED_FUNCTION("Use X instead")
    372 {
    373     krb5_error_code ret;
    374     AS_REQ a;
    375     krb5_kdc_rep rep;
    376     krb5_data req, resp;
    377     size_t len = 0;
    378     krb5_salt salt;
    379     krb5_keyblock *key;
    380     size_t size;
    381     KDCOptions opts;
    382     PA_DATA *pa;
    383     krb5_enctype etype;
    384     krb5_preauthdata *my_preauth = NULL;
    385     unsigned nonce;
    386     int done;
    387 
    388     opts = int2KDCOptions(options);
    389 
    390     krb5_generate_random_block (&nonce, sizeof(nonce));
    391     nonce &= 0xffffffff;
    392 
    393     do {
    394 	done = 1;
    395 	ret = init_as_req (context,
    396 			   opts,
    397 			   creds,
    398 			   addrs,
    399 			   etypes,
    400 			   ptypes,
    401 			   preauth,
    402 			   key_proc,
    403 			   keyseed,
    404 			   nonce,
    405 			   &a);
    406 	if (my_preauth) {
    407 	    free_ETYPE_INFO(&my_preauth->val[0].info);
    408 	    free (my_preauth->val);
    409 	    my_preauth = NULL;
    410 	}
    411 	if (ret)
    412 	    return ret;
    413 
    414 	ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length, &a, &len, ret);
    415 	free_AS_REQ(&a);
    416 	if (ret)
    417 	    return ret;
    418 	if(len != req.length)
    419 	    krb5_abortx(context, "internal error in ASN.1 encoder");
    420 
    421 	ret = krb5_sendto_kdc (context, &req, &creds->client->realm, &resp);
    422 	krb5_data_free(&req);
    423 	if (ret)
    424 	    return ret;
    425 
    426 	memset (&rep, 0, sizeof(rep));
    427 	ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size);
    428 	if(ret) {
    429 	    /* let's try to parse it as a KRB-ERROR */
    430 	    KRB_ERROR error;
    431 	    int ret2;
    432 
    433 	    ret2 = krb5_rd_error(context, &resp, &error);
    434 	    if(ret2 && resp.data && ((char*)resp.data)[0] == 4)
    435 		ret = KRB5KRB_AP_ERR_V4_REPLY;
    436 	    krb5_data_free(&resp);
    437 	    if (ret2 == 0) {
    438 		ret = krb5_error_from_rd_error(context, &error, creds);
    439 		/* if no preauth was set and KDC requires it, give it
    440                    one more try */
    441 		if (!ptypes && !preauth
    442 		    && ret == KRB5KDC_ERR_PREAUTH_REQUIRED
    443 #if 0
    444 			|| ret == KRB5KDC_ERR_BADOPTION
    445 #endif
    446 		    && set_ptypes(context, &error, &ptypes, &my_preauth)) {
    447 		    done = 0;
    448 		    preauth = my_preauth;
    449 		    krb5_free_error_contents(context, &error);
    450 		    krb5_clear_error_message(context);
    451 		    continue;
    452 		}
    453 		if(ret_as_reply)
    454 		    ret_as_reply->error = error;
    455 		else
    456 		    free_KRB_ERROR (&error);
    457 		return ret;
    458 	    }
    459 	    return ret;
    460 	}
    461 	krb5_data_free(&resp);
    462     } while(!done);
    463 
    464     pa = NULL;
    465     etype = rep.kdc_rep.enc_part.etype;
    466     if(rep.kdc_rep.padata){
    467 	int i = 0;
    468 	pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len,
    469 			      KRB5_PADATA_PW_SALT, &i);
    470 	if(pa == NULL) {
    471 	    i = 0;
    472 	    pa = krb5_find_padata(rep.kdc_rep.padata->val,
    473 				  rep.kdc_rep.padata->len,
    474 				  KRB5_PADATA_AFS3_SALT, &i);
    475 	}
    476     }
    477     if(pa) {
    478 	salt.salttype = (krb5_salttype)pa->padata_type;
    479 	salt.saltvalue = pa->padata_value;
    480 
    481 	ret = (*key_proc)(context, etype, salt, keyseed, &key);
    482     } else {
    483 	/* make a v5 salted pa-data */
    484 	ret = krb5_get_pw_salt (context, creds->client, &salt);
    485 
    486 	if (ret)
    487 	    goto out;
    488 	ret = (*key_proc)(context, etype, salt, keyseed, &key);
    489 	krb5_free_salt(context, salt);
    490     }
    491     if (ret)
    492 	goto out;
    493 
    494     {
    495 	unsigned flags = EXTRACT_TICKET_TIMESYNC;
    496 	if (opts.request_anonymous)
    497 	    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH | EXTRACT_TICKET_MATCH_ANON;
    498 
    499 	ret = _krb5_extract_ticket(context,
    500 				   &rep,
    501 				   creds,
    502 				   key,
    503 				   keyseed,
    504 				   KRB5_KU_AS_REP_ENC_PART,
    505 				   NULL,
    506 				   nonce,
    507 				   flags,
    508 				   NULL,
    509 				   decrypt_proc,
    510 				   decryptarg);
    511     }
    512     memset (key->keyvalue.data, 0, key->keyvalue.length);
    513     krb5_free_keyblock_contents (context, key);
    514     free (key);
    515 
    516 out:
    517     if (ret == 0 && ret_as_reply)
    518 	*ret_as_reply = rep;
    519     else
    520 	krb5_free_kdc_rep (context, &rep);
    521     return ret;
    522 }
    523 
    524 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
    525 krb5_get_in_tkt(krb5_context context,
    526 		krb5_flags options,
    527 		const krb5_addresses *addrs,
    528 		const krb5_enctype *etypes,
    529 		const krb5_preauthtype *ptypes,
    530 		krb5_key_proc key_proc,
    531 		krb5_const_pointer keyseed,
    532 		krb5_decrypt_proc decrypt_proc,
    533 		krb5_const_pointer decryptarg,
    534 		krb5_creds *creds,
    535 		krb5_ccache ccache,
    536 		krb5_kdc_rep *ret_as_reply)
    537     KRB5_DEPRECATED_FUNCTION("Use X instead")
    538 {
    539     krb5_error_code ret;
    540 
    541     ret = krb5_get_in_cred (context,
    542 			    options,
    543 			    addrs,
    544 			    etypes,
    545 			    ptypes,
    546 			    NULL,
    547 			    key_proc,
    548 			    keyseed,
    549 			    decrypt_proc,
    550 			    decryptarg,
    551 			    creds,
    552 			    ret_as_reply);
    553     if(ret)
    554 	return ret;
    555     if (ccache)
    556 	ret = krb5_cc_store_cred (context, ccache, creds);
    557     return ret;
    558 }
    559 
    560 #endif /* HEIMDAL_SMALLER */
    561