1 1.4 christos /* $NetBSD: ticket.c,v 1.6 2023/06/19 21:41:45 christos Exp $ */ 2 1.1 elric 3 1.1 elric /* 4 1.1 elric * Copyright (c) 1997 - 2001 Kungliga Tekniska Hgskolan 5 1.1 elric * (Royal Institute of Technology, Stockholm, Sweden). 6 1.1 elric * All rights reserved. 7 1.1 elric * 8 1.1 elric * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 1.1 elric * 10 1.1 elric * Redistribution and use in source and binary forms, with or without 11 1.1 elric * modification, are permitted provided that the following conditions 12 1.1 elric * are met: 13 1.1 elric * 14 1.1 elric * 1. Redistributions of source code must retain the above copyright 15 1.1 elric * notice, this list of conditions and the following disclaimer. 16 1.1 elric * 17 1.1 elric * 2. Redistributions in binary form must reproduce the above copyright 18 1.1 elric * notice, this list of conditions and the following disclaimer in the 19 1.1 elric * documentation and/or other materials provided with the distribution. 20 1.1 elric * 21 1.1 elric * 3. Neither the name of the Institute nor the names of its contributors 22 1.1 elric * may be used to endorse or promote products derived from this software 23 1.1 elric * without specific prior written permission. 24 1.1 elric * 25 1.1 elric * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 1.1 elric * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 1.1 elric * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 1.1 elric * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 1.1 elric * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 1.1 elric * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 1.1 elric * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 1.1 elric * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 1.1 elric * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 1.1 elric * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 1.1 elric * SUCH DAMAGE. 36 1.1 elric */ 37 1.1 elric 38 1.1 elric #include "krb5_locl.h" 39 1.1 elric 40 1.1 elric /** 41 1.1 elric * Free ticket and content 42 1.1 elric * 43 1.1 elric * @param context a Kerberos 5 context 44 1.1 elric * @param ticket ticket to free 45 1.1 elric * 46 1.1 elric * @return Returns 0 to indicate success. Otherwise an kerberos et 47 1.1 elric * error code is returned, see krb5_get_error_message(). 48 1.1 elric * 49 1.1 elric * @ingroup krb5 50 1.1 elric */ 51 1.1 elric 52 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 53 1.1 elric krb5_free_ticket(krb5_context context, 54 1.1 elric krb5_ticket *ticket) 55 1.1 elric { 56 1.1 elric free_EncTicketPart(&ticket->ticket); 57 1.1 elric krb5_free_principal(context, ticket->client); 58 1.1 elric krb5_free_principal(context, ticket->server); 59 1.1 elric free(ticket); 60 1.1 elric return 0; 61 1.1 elric } 62 1.1 elric 63 1.1 elric /** 64 1.1 elric * Copy ticket and content 65 1.1 elric * 66 1.1 elric * @param context a Kerberos 5 context 67 1.1 elric * @param from ticket to copy 68 1.1 elric * @param to new copy of ticket, free with krb5_free_ticket() 69 1.1 elric * 70 1.1 elric * @return Returns 0 to indicate success. Otherwise an kerberos et 71 1.1 elric * error code is returned, see krb5_get_error_message(). 72 1.1 elric * 73 1.1 elric * @ingroup krb5 74 1.1 elric */ 75 1.1 elric 76 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 77 1.1 elric krb5_copy_ticket(krb5_context context, 78 1.1 elric const krb5_ticket *from, 79 1.1 elric krb5_ticket **to) 80 1.1 elric { 81 1.1 elric krb5_error_code ret; 82 1.1 elric krb5_ticket *tmp; 83 1.1 elric 84 1.1 elric *to = NULL; 85 1.1 elric tmp = malloc(sizeof(*tmp)); 86 1.2 christos if (tmp == NULL) 87 1.2 christos return krb5_enomem(context); 88 1.1 elric if((ret = copy_EncTicketPart(&from->ticket, &tmp->ticket))){ 89 1.1 elric free(tmp); 90 1.1 elric return ret; 91 1.1 elric } 92 1.1 elric ret = krb5_copy_principal(context, from->client, &tmp->client); 93 1.1 elric if(ret){ 94 1.1 elric free_EncTicketPart(&tmp->ticket); 95 1.1 elric free(tmp); 96 1.1 elric return ret; 97 1.1 elric } 98 1.1 elric ret = krb5_copy_principal(context, from->server, &tmp->server); 99 1.1 elric if(ret){ 100 1.1 elric krb5_free_principal(context, tmp->client); 101 1.1 elric free_EncTicketPart(&tmp->ticket); 102 1.1 elric free(tmp); 103 1.1 elric return ret; 104 1.1 elric } 105 1.1 elric *to = tmp; 106 1.1 elric return 0; 107 1.1 elric } 108 1.1 elric 109 1.1 elric /** 110 1.1 elric * Return client principal in ticket 111 1.1 elric * 112 1.1 elric * @param context a Kerberos 5 context 113 1.1 elric * @param ticket ticket to copy 114 1.1 elric * @param client client principal, free with krb5_free_principal() 115 1.1 elric * 116 1.1 elric * @return Returns 0 to indicate success. Otherwise an kerberos et 117 1.1 elric * error code is returned, see krb5_get_error_message(). 118 1.1 elric * 119 1.1 elric * @ingroup krb5 120 1.1 elric */ 121 1.1 elric 122 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 123 1.1 elric krb5_ticket_get_client(krb5_context context, 124 1.1 elric const krb5_ticket *ticket, 125 1.1 elric krb5_principal *client) 126 1.1 elric { 127 1.1 elric return krb5_copy_principal(context, ticket->client, client); 128 1.1 elric } 129 1.1 elric 130 1.1 elric /** 131 1.1 elric * Return server principal in ticket 132 1.1 elric * 133 1.1 elric * @param context a Kerberos 5 context 134 1.1 elric * @param ticket ticket to copy 135 1.1 elric * @param server server principal, free with krb5_free_principal() 136 1.1 elric * 137 1.1 elric * @return Returns 0 to indicate success. Otherwise an kerberos et 138 1.1 elric * error code is returned, see krb5_get_error_message(). 139 1.1 elric * 140 1.1 elric * @ingroup krb5 141 1.1 elric */ 142 1.1 elric 143 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 144 1.1 elric krb5_ticket_get_server(krb5_context context, 145 1.1 elric const krb5_ticket *ticket, 146 1.1 elric krb5_principal *server) 147 1.1 elric { 148 1.1 elric return krb5_copy_principal(context, ticket->server, server); 149 1.1 elric } 150 1.1 elric 151 1.1 elric /** 152 1.1 elric * Return end time of ticket 153 1.1 elric * 154 1.1 elric * @param context a Kerberos 5 context 155 1.1 elric * @param ticket ticket to copy 156 1.1 elric * 157 1.1 elric * @return end time of ticket 158 1.1 elric * 159 1.1 elric * @ingroup krb5 160 1.1 elric */ 161 1.1 elric 162 1.1 elric KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL 163 1.1 elric krb5_ticket_get_endtime(krb5_context context, 164 1.1 elric const krb5_ticket *ticket) 165 1.1 elric { 166 1.1 elric return ticket->ticket.endtime; 167 1.1 elric } 168 1.1 elric 169 1.1 elric /** 170 1.1 elric * Get the flags from the Kerberos ticket 171 1.1 elric * 172 1.1 elric * @param context Kerberos context 173 1.1 elric * @param ticket Kerberos ticket 174 1.1 elric * 175 1.1 elric * @return ticket flags 176 1.1 elric * 177 1.1 elric * @ingroup krb5_ticket 178 1.1 elric */ 179 1.1 elric KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL 180 1.1 elric krb5_ticket_get_flags(krb5_context context, 181 1.1 elric const krb5_ticket *ticket) 182 1.1 elric { 183 1.1 elric return TicketFlags2int(ticket->ticket.flags); 184 1.1 elric } 185 1.1 elric 186 1.1 elric static int 187 1.1 elric find_type_in_ad(krb5_context context, 188 1.1 elric int type, 189 1.1 elric krb5_data *data, 190 1.1 elric krb5_boolean *found, 191 1.1 elric krb5_boolean failp, 192 1.1 elric krb5_keyblock *sessionkey, 193 1.1 elric const AuthorizationData *ad, 194 1.1 elric int level) 195 1.1 elric { 196 1.1 elric krb5_error_code ret = 0; 197 1.2 christos size_t i; 198 1.1 elric 199 1.1 elric if (level > 9) { 200 1.1 elric ret = ENOENT; /* XXX */ 201 1.1 elric krb5_set_error_message(context, ret, 202 1.1 elric N_("Authorization data nested deeper " 203 1.1 elric "then %d levels, stop searching", ""), 204 1.1 elric level); 205 1.1 elric goto out; 206 1.1 elric } 207 1.1 elric 208 1.1 elric /* 209 1.1 elric * Only copy out the element the first time we get to it, we need 210 1.1 elric * to run over the whole authorization data fields to check if 211 1.1 elric * there are any container clases we need to care about. 212 1.1 elric */ 213 1.1 elric for (i = 0; i < ad->len; i++) { 214 1.1 elric if (!*found && ad->val[i].ad_type == type) { 215 1.1 elric ret = der_copy_octet_string(&ad->val[i].ad_data, data); 216 1.1 elric if (ret) { 217 1.1 elric krb5_set_error_message(context, ret, 218 1.1 elric N_("malloc: out of memory", "")); 219 1.1 elric goto out; 220 1.1 elric } 221 1.1 elric *found = TRUE; 222 1.1 elric continue; 223 1.1 elric } 224 1.1 elric switch (ad->val[i].ad_type) { 225 1.1 elric case KRB5_AUTHDATA_IF_RELEVANT: { 226 1.1 elric AuthorizationData child; 227 1.1 elric ret = decode_AuthorizationData(ad->val[i].ad_data.data, 228 1.1 elric ad->val[i].ad_data.length, 229 1.1 elric &child, 230 1.1 elric NULL); 231 1.1 elric if (ret) { 232 1.1 elric krb5_set_error_message(context, ret, 233 1.1 elric N_("Failed to decode " 234 1.1 elric "IF_RELEVANT with %d", ""), 235 1.1 elric (int)ret); 236 1.1 elric goto out; 237 1.1 elric } 238 1.1 elric ret = find_type_in_ad(context, type, data, found, FALSE, 239 1.1 elric sessionkey, &child, level + 1); 240 1.1 elric free_AuthorizationData(&child); 241 1.1 elric if (ret) 242 1.1 elric goto out; 243 1.1 elric break; 244 1.1 elric } 245 1.1 elric #if 0 /* XXX test */ 246 1.1 elric case KRB5_AUTHDATA_KDC_ISSUED: { 247 1.1 elric AD_KDCIssued child; 248 1.1 elric 249 1.1 elric ret = decode_AD_KDCIssued(ad->val[i].ad_data.data, 250 1.1 elric ad->val[i].ad_data.length, 251 1.1 elric &child, 252 1.1 elric NULL); 253 1.1 elric if (ret) { 254 1.1 elric krb5_set_error_message(context, ret, 255 1.1 elric N_("Failed to decode " 256 1.1 elric "AD_KDCIssued with %d", ""), 257 1.1 elric ret); 258 1.1 elric goto out; 259 1.1 elric } 260 1.1 elric if (failp) { 261 1.1 elric krb5_boolean valid; 262 1.1 elric krb5_data buf; 263 1.1 elric size_t len; 264 1.1 elric 265 1.1 elric ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length, 266 1.1 elric &child.elements, &len, ret); 267 1.1 elric if (ret) { 268 1.1 elric free_AD_KDCIssued(&child); 269 1.1 elric krb5_clear_error_message(context); 270 1.1 elric goto out; 271 1.1 elric } 272 1.1 elric if(buf.length != len) 273 1.1 elric krb5_abortx(context, "internal error in ASN.1 encoder"); 274 1.1 elric 275 1.1 elric ret = krb5_c_verify_checksum(context, sessionkey, 19, &buf, 276 1.1 elric &child.ad_checksum, &valid); 277 1.1 elric krb5_data_free(&buf); 278 1.1 elric if (ret) { 279 1.1 elric free_AD_KDCIssued(&child); 280 1.1 elric goto out; 281 1.1 elric } 282 1.1 elric if (!valid) { 283 1.1 elric krb5_clear_error_message(context); 284 1.1 elric ret = ENOENT; 285 1.1 elric free_AD_KDCIssued(&child); 286 1.1 elric goto out; 287 1.1 elric } 288 1.1 elric } 289 1.1 elric ret = find_type_in_ad(context, type, data, found, failp, sessionkey, 290 1.1 elric &child.elements, level + 1); 291 1.1 elric free_AD_KDCIssued(&child); 292 1.1 elric if (ret) 293 1.1 elric goto out; 294 1.1 elric break; 295 1.1 elric } 296 1.1 elric #endif 297 1.1 elric case KRB5_AUTHDATA_AND_OR: 298 1.1 elric if (!failp) 299 1.1 elric break; 300 1.1 elric ret = ENOENT; /* XXX */ 301 1.1 elric krb5_set_error_message(context, ret, 302 1.1 elric N_("Authorization data contains " 303 1.1 elric "AND-OR element that is unknown to the " 304 1.1 elric "application", "")); 305 1.1 elric goto out; 306 1.1 elric default: 307 1.1 elric if (!failp) 308 1.1 elric break; 309 1.1 elric ret = ENOENT; /* XXX */ 310 1.1 elric krb5_set_error_message(context, ret, 311 1.1 elric N_("Authorization data contains " 312 1.1 elric "unknown type (%d) ", ""), 313 1.1 elric ad->val[i].ad_type); 314 1.1 elric goto out; 315 1.1 elric } 316 1.1 elric } 317 1.1 elric out: 318 1.1 elric if (ret) { 319 1.1 elric if (*found) { 320 1.1 elric krb5_data_free(data); 321 1.1 elric *found = 0; 322 1.1 elric } 323 1.1 elric } 324 1.1 elric return ret; 325 1.1 elric } 326 1.1 elric 327 1.2 christos KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 328 1.2 christos _krb5_get_ad(krb5_context context, 329 1.2 christos const AuthorizationData *ad, 330 1.2 christos krb5_keyblock *sessionkey, 331 1.2 christos int type, 332 1.2 christos krb5_data *data) 333 1.2 christos { 334 1.2 christos krb5_boolean found = FALSE; 335 1.2 christos krb5_error_code ret; 336 1.2 christos 337 1.2 christos krb5_data_zero(data); 338 1.2 christos 339 1.2 christos if (ad == NULL) { 340 1.2 christos krb5_set_error_message(context, ENOENT, 341 1.2 christos N_("No authorization data", "")); 342 1.2 christos return ENOENT; /* XXX */ 343 1.2 christos } 344 1.2 christos 345 1.2 christos ret = find_type_in_ad(context, type, data, &found, TRUE, sessionkey, ad, 0); 346 1.2 christos if (ret) 347 1.2 christos return ret; 348 1.2 christos if (!found) { 349 1.2 christos krb5_set_error_message(context, ENOENT, 350 1.2 christos N_("Have no authorization data of type %d", ""), 351 1.2 christos type); 352 1.2 christos return ENOENT; /* XXX */ 353 1.2 christos } 354 1.2 christos return 0; 355 1.2 christos } 356 1.2 christos 357 1.2 christos 358 1.1 elric /** 359 1.1 elric * Extract the authorization data type of type from the ticket. Store 360 1.1 elric * the field in data. This function is to use for kerberos 361 1.1 elric * applications. 362 1.1 elric * 363 1.1 elric * @param context a Kerberos 5 context 364 1.1 elric * @param ticket Kerberos ticket 365 1.1 elric * @param type type to fetch 366 1.1 elric * @param data returned data, free with krb5_data_free() 367 1.1 elric * 368 1.1 elric * @ingroup krb5 369 1.1 elric */ 370 1.1 elric 371 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 372 1.1 elric krb5_ticket_get_authorization_data_type(krb5_context context, 373 1.1 elric krb5_ticket *ticket, 374 1.1 elric int type, 375 1.1 elric krb5_data *data) 376 1.1 elric { 377 1.1 elric AuthorizationData *ad; 378 1.1 elric krb5_error_code ret; 379 1.1 elric krb5_boolean found = FALSE; 380 1.1 elric 381 1.1 elric krb5_data_zero(data); 382 1.1 elric 383 1.1 elric ad = ticket->ticket.authorization_data; 384 1.1 elric if (ticket->ticket.authorization_data == NULL) { 385 1.1 elric krb5_set_error_message(context, ENOENT, 386 1.1 elric N_("Ticket have not authorization data", "")); 387 1.1 elric return ENOENT; /* XXX */ 388 1.1 elric } 389 1.1 elric 390 1.1 elric ret = find_type_in_ad(context, type, data, &found, TRUE, 391 1.1 elric &ticket->ticket.key, ad, 0); 392 1.1 elric if (ret) 393 1.1 elric return ret; 394 1.1 elric if (!found) { 395 1.1 elric krb5_set_error_message(context, ENOENT, 396 1.1 elric N_("Ticket have not " 397 1.1 elric "authorization data of type %d", ""), 398 1.1 elric type); 399 1.1 elric return ENOENT; /* XXX */ 400 1.1 elric } 401 1.1 elric return 0; 402 1.1 elric } 403 1.1 elric 404 1.1 elric static krb5_error_code 405 1.1 elric check_server_referral(krb5_context context, 406 1.1 elric krb5_kdc_rep *rep, 407 1.1 elric unsigned flags, 408 1.1 elric krb5_const_principal requested, 409 1.1 elric krb5_const_principal returned, 410 1.1 elric krb5_keyblock * key) 411 1.1 elric { 412 1.1 elric krb5_error_code ret; 413 1.1 elric PA_ServerReferralData ref; 414 1.1 elric krb5_crypto session; 415 1.1 elric EncryptedData ed; 416 1.1 elric size_t len; 417 1.1 elric krb5_data data; 418 1.1 elric PA_DATA *pa; 419 1.1 elric int i = 0, cmp; 420 1.1 elric 421 1.1 elric if (rep->kdc_rep.padata == NULL) 422 1.1 elric goto noreferral; 423 1.1 elric 424 1.1 elric pa = krb5_find_padata(rep->kdc_rep.padata->val, 425 1.1 elric rep->kdc_rep.padata->len, 426 1.1 elric KRB5_PADATA_SERVER_REFERRAL, &i); 427 1.1 elric if (pa == NULL) 428 1.1 elric goto noreferral; 429 1.1 elric 430 1.1 elric memset(&ed, 0, sizeof(ed)); 431 1.1 elric memset(&ref, 0, sizeof(ref)); 432 1.1 elric 433 1.1 elric ret = decode_EncryptedData(pa->padata_value.data, 434 1.1 elric pa->padata_value.length, 435 1.1 elric &ed, &len); 436 1.1 elric if (ret) 437 1.1 elric return ret; 438 1.1 elric if (len != pa->padata_value.length) { 439 1.1 elric free_EncryptedData(&ed); 440 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 441 1.1 elric N_("Referral EncryptedData wrong for realm %s", 442 1.1 elric "realm"), requested->realm); 443 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 444 1.1 elric } 445 1.1 elric 446 1.1 elric ret = krb5_crypto_init(context, key, 0, &session); 447 1.1 elric if (ret) { 448 1.1 elric free_EncryptedData(&ed); 449 1.1 elric return ret; 450 1.1 elric } 451 1.1 elric 452 1.1 elric ret = krb5_decrypt_EncryptedData(context, session, 453 1.1 elric KRB5_KU_PA_SERVER_REFERRAL, 454 1.1 elric &ed, &data); 455 1.1 elric free_EncryptedData(&ed); 456 1.1 elric krb5_crypto_destroy(context, session); 457 1.1 elric if (ret) 458 1.1 elric return ret; 459 1.1 elric 460 1.1 elric ret = decode_PA_ServerReferralData(data.data, data.length, &ref, &len); 461 1.1 elric if (ret) { 462 1.1 elric krb5_data_free(&data); 463 1.1 elric return ret; 464 1.1 elric } 465 1.1 elric krb5_data_free(&data); 466 1.1 elric 467 1.1 elric if (strcmp(requested->realm, returned->realm) != 0) { 468 1.1 elric free_PA_ServerReferralData(&ref); 469 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 470 1.1 elric N_("server ref realm mismatch, " 471 1.1 elric "requested realm %s got back %s", ""), 472 1.1 elric requested->realm, returned->realm); 473 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 474 1.1 elric } 475 1.1 elric 476 1.1 elric if (krb5_principal_is_krbtgt(context, returned)) { 477 1.1 elric const char *realm = returned->name.name_string.val[1]; 478 1.1 elric 479 1.1 elric if (ref.referred_realm == NULL 480 1.1 elric || strcmp(*ref.referred_realm, realm) != 0) 481 1.1 elric { 482 1.1 elric free_PA_ServerReferralData(&ref); 483 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 484 1.1 elric N_("tgt returned with wrong ref", "")); 485 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 486 1.1 elric } 487 1.1 elric } else if (krb5_principal_compare(context, returned, requested) == 0) { 488 1.1 elric free_PA_ServerReferralData(&ref); 489 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 490 1.1 elric N_("req princ no same as returned", "")); 491 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 492 1.1 elric } 493 1.1 elric 494 1.1 elric if (ref.requested_principal_name) { 495 1.1 elric cmp = _krb5_principal_compare_PrincipalName(context, 496 1.1 elric requested, 497 1.1 elric ref.requested_principal_name); 498 1.1 elric if (!cmp) { 499 1.1 elric free_PA_ServerReferralData(&ref); 500 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 501 1.1 elric N_("referred principal not same " 502 1.1 elric "as requested", "")); 503 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 504 1.1 elric } 505 1.1 elric } else if (flags & EXTRACT_TICKET_AS_REQ) { 506 1.1 elric free_PA_ServerReferralData(&ref); 507 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 508 1.1 elric N_("Requested principal missing on AS-REQ", "")); 509 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 510 1.1 elric } 511 1.1 elric 512 1.1 elric free_PA_ServerReferralData(&ref); 513 1.1 elric 514 1.1 elric return ret; 515 1.1 elric noreferral: 516 1.1 elric /* 517 1.1 elric * Expect excact match or that we got a krbtgt 518 1.1 elric */ 519 1.1 elric if (krb5_principal_compare(context, requested, returned) != TRUE && 520 1.1 elric (krb5_realm_compare(context, requested, returned) != TRUE && 521 1.1 elric krb5_principal_is_krbtgt(context, returned) != TRUE)) 522 1.1 elric { 523 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 524 1.1 elric N_("Not same server principal returned " 525 1.1 elric "as requested", "")); 526 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 527 1.1 elric } 528 1.1 elric return 0; 529 1.1 elric } 530 1.1 elric 531 1.5 christos /* 532 1.5 christos * Verify KDC supported anonymous if requested 533 1.5 christos */ 534 1.5 christos static krb5_error_code 535 1.5 christos check_client_anonymous(krb5_context context, 536 1.5 christos krb5_kdc_rep *rep, 537 1.5 christos krb5_const_principal requested, 538 1.5 christos krb5_const_principal mapped, 539 1.5 christos krb5_boolean is_tgs_rep) 540 1.5 christos { 541 1.5 christos int flags; 542 1.5 christos 543 1.5 christos if (!rep->enc_part.flags.anonymous) 544 1.5 christos return KRB5KDC_ERR_BADOPTION; 545 1.5 christos 546 1.6 christos /* 547 1.6 christos * Here we must validate that the AS returned a ticket of the expected type 548 1.6 christos * for either a fully anonymous request, or authenticated request for an 549 1.6 christos * anonymous ticket. If this is a TGS request, we're done. Then if the 550 1.6 christos * 'requested' principal was anonymous, we'll check the 'mapped' principal 551 1.6 christos * accordingly (without enforcing the name type and perhaps the realm). 552 1.6 christos * Finally, if the 'requested' principal was not anonymous, well check 553 1.6 christos * that the 'mapped' principal has an anonymous name and type, in a 554 1.6 christos * non-anonymous realm. (Should we also be checking for a realm match 555 1.6 christos * between the request and the mapped name in this case?) 556 1.6 christos */ 557 1.5 christos if (is_tgs_rep) 558 1.6 christos flags = KRB5_ANON_MATCH_ANY_NONT; 559 1.6 christos else if (krb5_principal_is_anonymous(context, requested, 560 1.6 christos KRB5_ANON_MATCH_ANY_NONT)) 561 1.6 christos flags = KRB5_ANON_MATCH_UNAUTHENTICATED | KRB5_ANON_IGNORE_NAME_TYPE; 562 1.5 christos else 563 1.5 christos flags = KRB5_ANON_MATCH_AUTHENTICATED; 564 1.5 christos 565 1.5 christos if (!krb5_principal_is_anonymous(context, mapped, flags)) 566 1.5 christos return KRB5KRB_AP_ERR_MODIFIED; 567 1.5 christos 568 1.5 christos return 0; 569 1.5 christos } 570 1.1 elric 571 1.1 elric /* 572 1.5 christos * Verify returned client principal name in anonymous/referral case 573 1.1 elric */ 574 1.1 elric 575 1.1 elric static krb5_error_code 576 1.5 christos check_client_mismatch(krb5_context context, 577 1.1 elric krb5_kdc_rep *rep, 578 1.1 elric krb5_const_principal requested, 579 1.1 elric krb5_const_principal mapped, 580 1.1 elric krb5_keyblock const * key) 581 1.1 elric { 582 1.5 christos if (rep->enc_part.flags.anonymous) { 583 1.6 christos if (!krb5_principal_is_anonymous(context, mapped, 584 1.6 christos KRB5_ANON_MATCH_ANY_NONT)) { 585 1.5 christos krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 586 1.5 christos N_("Anonymous ticket does not contain anonymous " 587 1.5 christos "principal", "")); 588 1.5 christos return KRB5KRB_AP_ERR_MODIFIED; 589 1.5 christos } 590 1.5 christos } else { 591 1.5 christos if (krb5_principal_compare(context, requested, mapped) == FALSE && 592 1.5 christos !rep->enc_part.flags.enc_pa_rep) { 593 1.5 christos krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 594 1.5 christos N_("Not same client principal returned " 595 1.5 christos "as requested", "")); 596 1.5 christos return KRB5KRB_AP_ERR_MODIFIED; 597 1.5 christos } 598 1.1 elric } 599 1.5 christos 600 1.1 elric return 0; 601 1.1 elric } 602 1.1 elric 603 1.1 elric 604 1.1 elric static krb5_error_code KRB5_CALLCONV 605 1.1 elric decrypt_tkt (krb5_context context, 606 1.1 elric krb5_keyblock *key, 607 1.1 elric krb5_key_usage usage, 608 1.1 elric krb5_const_pointer decrypt_arg, 609 1.1 elric krb5_kdc_rep *dec_rep) 610 1.1 elric { 611 1.1 elric krb5_error_code ret; 612 1.1 elric krb5_data data; 613 1.1 elric size_t size; 614 1.1 elric krb5_crypto crypto; 615 1.1 elric 616 1.1 elric ret = krb5_crypto_init(context, key, 0, &crypto); 617 1.1 elric if (ret) 618 1.1 elric return ret; 619 1.1 elric 620 1.1 elric ret = krb5_decrypt_EncryptedData (context, 621 1.1 elric crypto, 622 1.1 elric usage, 623 1.1 elric &dec_rep->kdc_rep.enc_part, 624 1.1 elric &data); 625 1.1 elric krb5_crypto_destroy(context, crypto); 626 1.1 elric 627 1.1 elric if (ret) 628 1.1 elric return ret; 629 1.1 elric 630 1.1 elric ret = decode_EncASRepPart(data.data, 631 1.1 elric data.length, 632 1.1 elric &dec_rep->enc_part, 633 1.1 elric &size); 634 1.1 elric if (ret) 635 1.1 elric ret = decode_EncTGSRepPart(data.data, 636 1.1 elric data.length, 637 1.1 elric &dec_rep->enc_part, 638 1.1 elric &size); 639 1.1 elric krb5_data_free (&data); 640 1.1 elric if (ret) { 641 1.2 christos krb5_set_error_message(context, ret, 642 1.1 elric N_("Failed to decode encpart in ticket", "")); 643 1.1 elric return ret; 644 1.1 elric } 645 1.1 elric return 0; 646 1.1 elric } 647 1.1 elric 648 1.2 christos KRB5_LIB_FUNCTION int KRB5_LIB_CALL 649 1.1 elric _krb5_extract_ticket(krb5_context context, 650 1.1 elric krb5_kdc_rep *rep, 651 1.1 elric krb5_creds *creds, 652 1.1 elric krb5_keyblock *key, 653 1.1 elric krb5_const_pointer keyseed, 654 1.1 elric krb5_key_usage key_usage, 655 1.1 elric krb5_addresses *addrs, 656 1.1 elric unsigned nonce, 657 1.1 elric unsigned flags, 658 1.2 christos krb5_data *request, 659 1.1 elric krb5_decrypt_proc decrypt_proc, 660 1.1 elric krb5_const_pointer decryptarg) 661 1.1 elric { 662 1.1 elric krb5_error_code ret; 663 1.1 elric krb5_principal tmp_principal; 664 1.2 christos size_t len = 0; 665 1.1 elric time_t tmp_time; 666 1.1 elric krb5_timestamp sec_now; 667 1.1 elric 668 1.1 elric /* decrypt */ 669 1.1 elric 670 1.1 elric if (decrypt_proc == NULL) 671 1.1 elric decrypt_proc = decrypt_tkt; 672 1.1 elric 673 1.1 elric ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep); 674 1.1 elric if (ret) 675 1.1 elric goto out; 676 1.1 elric 677 1.2 christos if (rep->enc_part.flags.enc_pa_rep && request) { 678 1.2 christos krb5_crypto crypto = NULL; 679 1.2 christos Checksum cksum; 680 1.2 christos PA_DATA *pa = NULL; 681 1.2 christos int idx = 0; 682 1.2 christos 683 1.2 christos _krb5_debug(context, 5, "processing enc-ap-rep"); 684 1.2 christos 685 1.2 christos if (rep->enc_part.encrypted_pa_data == NULL || 686 1.2 christos (pa = krb5_find_padata(rep->enc_part.encrypted_pa_data->val, 687 1.2 christos rep->enc_part.encrypted_pa_data->len, 688 1.2 christos KRB5_PADATA_REQ_ENC_PA_REP, 689 1.2 christos &idx)) == NULL) 690 1.2 christos { 691 1.2 christos _krb5_debug(context, 5, "KRB5_PADATA_REQ_ENC_PA_REP missing"); 692 1.2 christos ret = KRB5KRB_AP_ERR_MODIFIED; 693 1.2 christos goto out; 694 1.2 christos } 695 1.2 christos 696 1.2 christos ret = krb5_crypto_init(context, key, 0, &crypto); 697 1.2 christos if (ret) 698 1.2 christos goto out; 699 1.2 christos 700 1.2 christos ret = decode_Checksum(pa->padata_value.data, 701 1.2 christos pa->padata_value.length, 702 1.2 christos &cksum, NULL); 703 1.2 christos if (ret) { 704 1.2 christos krb5_crypto_destroy(context, crypto); 705 1.2 christos goto out; 706 1.2 christos } 707 1.2 christos 708 1.2 christos ret = krb5_verify_checksum(context, crypto, 709 1.2 christos KRB5_KU_AS_REQ, 710 1.2 christos request->data, request->length, 711 1.2 christos &cksum); 712 1.2 christos krb5_crypto_destroy(context, crypto); 713 1.2 christos free_Checksum(&cksum); 714 1.2 christos _krb5_debug(context, 5, "enc-ap-rep: %svalid", (ret == 0) ? "" : "in"); 715 1.2 christos if (ret) 716 1.2 christos goto out; 717 1.2 christos } 718 1.2 christos 719 1.1 elric /* save session key */ 720 1.1 elric 721 1.1 elric creds->session.keyvalue.length = 0; 722 1.1 elric creds->session.keyvalue.data = NULL; 723 1.1 elric creds->session.keytype = rep->enc_part.key.keytype; 724 1.1 elric ret = krb5_data_copy (&creds->session.keyvalue, 725 1.1 elric rep->enc_part.key.keyvalue.data, 726 1.1 elric rep->enc_part.key.keyvalue.length); 727 1.1 elric if (ret) { 728 1.1 elric krb5_clear_error_message(context); 729 1.1 elric goto out; 730 1.1 elric } 731 1.1 elric 732 1.1 elric /* compare client and save */ 733 1.2 christos ret = _krb5_principalname2krb5_principal(context, 734 1.2 christos &tmp_principal, 735 1.2 christos rep->kdc_rep.cname, 736 1.2 christos rep->kdc_rep.crealm); 737 1.1 elric if (ret) 738 1.1 elric goto out; 739 1.1 elric 740 1.5 christos /* check KDC supported anonymous if it was requested */ 741 1.5 christos if (flags & EXTRACT_TICKET_MATCH_ANON) { 742 1.5 christos ret = check_client_anonymous(context,rep, 743 1.5 christos creds->client, 744 1.5 christos tmp_principal, 745 1.5 christos request == NULL); /* is TGS */ 746 1.5 christos if (ret) { 747 1.5 christos krb5_free_principal(context, tmp_principal); 748 1.5 christos goto out; 749 1.5 christos } 750 1.5 christos } 751 1.5 christos 752 1.1 elric /* check client referral and save principal */ 753 1.1 elric if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) { 754 1.5 christos ret = check_client_mismatch(context, rep, 755 1.1 elric creds->client, 756 1.1 elric tmp_principal, 757 1.1 elric &creds->session); 758 1.1 elric if (ret) { 759 1.1 elric krb5_free_principal (context, tmp_principal); 760 1.1 elric goto out; 761 1.1 elric } 762 1.1 elric } 763 1.1 elric krb5_free_principal (context, creds->client); 764 1.1 elric creds->client = tmp_principal; 765 1.1 elric 766 1.1 elric /* check server referral and save principal */ 767 1.1 elric ret = _krb5_principalname2krb5_principal (context, 768 1.1 elric &tmp_principal, 769 1.3 christos rep->enc_part.sname, 770 1.4 christos rep->enc_part.srealm); 771 1.1 elric if (ret) 772 1.1 elric goto out; 773 1.1 elric if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ 774 1.1 elric ret = check_server_referral(context, 775 1.1 elric rep, 776 1.1 elric flags, 777 1.1 elric creds->server, 778 1.1 elric tmp_principal, 779 1.1 elric &creds->session); 780 1.1 elric if (ret) { 781 1.1 elric krb5_free_principal (context, tmp_principal); 782 1.1 elric goto out; 783 1.1 elric } 784 1.1 elric } 785 1.1 elric krb5_free_principal(context, creds->server); 786 1.1 elric creds->server = tmp_principal; 787 1.1 elric 788 1.1 elric /* verify names */ 789 1.1 elric if(flags & EXTRACT_TICKET_MATCH_REALM){ 790 1.1 elric const char *srealm = krb5_principal_get_realm(context, creds->server); 791 1.1 elric const char *crealm = krb5_principal_get_realm(context, creds->client); 792 1.1 elric 793 1.1 elric if (strcmp(rep->enc_part.srealm, srealm) != 0 || 794 1.1 elric strcmp(rep->enc_part.srealm, crealm) != 0) 795 1.1 elric { 796 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 797 1.1 elric krb5_clear_error_message(context); 798 1.1 elric goto out; 799 1.1 elric } 800 1.1 elric } 801 1.1 elric 802 1.1 elric /* compare nonces */ 803 1.1 elric 804 1.2 christos if (nonce != (unsigned)rep->enc_part.nonce) { 805 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 806 1.1 elric krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); 807 1.1 elric goto out; 808 1.1 elric } 809 1.1 elric 810 1.1 elric /* set kdc-offset */ 811 1.1 elric 812 1.1 elric krb5_timeofday (context, &sec_now); 813 1.1 elric if (rep->enc_part.flags.initial 814 1.1 elric && (flags & EXTRACT_TICKET_TIMESYNC) 815 1.1 elric && context->kdc_sec_offset == 0 816 1.1 elric && krb5_config_get_bool (context, NULL, 817 1.1 elric "libdefaults", 818 1.1 elric "kdc_timesync", 819 1.1 elric NULL)) { 820 1.1 elric context->kdc_sec_offset = rep->enc_part.authtime - sec_now; 821 1.1 elric krb5_timeofday (context, &sec_now); 822 1.1 elric } 823 1.1 elric 824 1.1 elric /* check all times */ 825 1.1 elric 826 1.1 elric if (rep->enc_part.starttime) { 827 1.1 elric tmp_time = *rep->enc_part.starttime; 828 1.1 elric } else 829 1.1 elric tmp_time = rep->enc_part.authtime; 830 1.1 elric 831 1.1 elric if (creds->times.starttime == 0 832 1.2 christos && labs(tmp_time - sec_now) > context->max_skew) { 833 1.1 elric ret = KRB5KRB_AP_ERR_SKEW; 834 1.1 elric krb5_set_error_message (context, ret, 835 1.2 christos N_("time skew (%ld) larger than max (%ld)", ""), 836 1.2 christos labs(tmp_time - sec_now), 837 1.2 christos (long)context->max_skew); 838 1.1 elric goto out; 839 1.1 elric } 840 1.1 elric 841 1.1 elric if (creds->times.starttime != 0 842 1.1 elric && tmp_time != creds->times.starttime) { 843 1.1 elric krb5_clear_error_message (context); 844 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 845 1.1 elric goto out; 846 1.1 elric } 847 1.1 elric 848 1.1 elric creds->times.starttime = tmp_time; 849 1.1 elric 850 1.1 elric if (rep->enc_part.renew_till) { 851 1.1 elric tmp_time = *rep->enc_part.renew_till; 852 1.1 elric } else 853 1.1 elric tmp_time = 0; 854 1.1 elric 855 1.1 elric if (creds->times.renew_till != 0 856 1.1 elric && tmp_time > creds->times.renew_till) { 857 1.1 elric krb5_clear_error_message (context); 858 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 859 1.1 elric goto out; 860 1.1 elric } 861 1.1 elric 862 1.1 elric creds->times.renew_till = tmp_time; 863 1.1 elric 864 1.1 elric creds->times.authtime = rep->enc_part.authtime; 865 1.1 elric 866 1.1 elric if (creds->times.endtime != 0 867 1.1 elric && rep->enc_part.endtime > creds->times.endtime) { 868 1.1 elric krb5_clear_error_message (context); 869 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 870 1.1 elric goto out; 871 1.1 elric } 872 1.1 elric 873 1.1 elric creds->times.endtime = rep->enc_part.endtime; 874 1.1 elric 875 1.1 elric if(rep->enc_part.caddr) 876 1.1 elric krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses); 877 1.1 elric else if(addrs) 878 1.1 elric krb5_copy_addresses (context, addrs, &creds->addresses); 879 1.1 elric else { 880 1.1 elric creds->addresses.len = 0; 881 1.1 elric creds->addresses.val = NULL; 882 1.1 elric } 883 1.1 elric creds->flags.b = rep->enc_part.flags; 884 1.2 christos 885 1.1 elric creds->authdata.len = 0; 886 1.1 elric creds->authdata.val = NULL; 887 1.1 elric 888 1.1 elric /* extract ticket */ 889 1.1 elric ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, 890 1.1 elric &rep->kdc_rep.ticket, &len, ret); 891 1.1 elric if(ret) 892 1.1 elric goto out; 893 1.1 elric if (creds->ticket.length != len) 894 1.1 elric krb5_abortx(context, "internal error in ASN.1 encoder"); 895 1.1 elric creds->second_ticket.length = 0; 896 1.1 elric creds->second_ticket.data = NULL; 897 1.1 elric 898 1.1 elric 899 1.1 elric out: 900 1.1 elric memset (rep->enc_part.key.keyvalue.data, 0, 901 1.1 elric rep->enc_part.key.keyvalue.length); 902 1.1 elric return ret; 903 1.1 elric } 904
Indexes created Sat Feb 28 05:31:39 UTC 2026