ticket.c revision 1.2
1 1.1 elric /* $NetBSD: ticket.c,v 1.2 2017/01/28 21:31:49 christos Exp $ */ 2 1.1 elric 3 1.1 elric /* 4 1.1 elric * Copyright (c) 1997 - 2001 Kungliga Tekniska Hgskolan 5 1.1 elric * (Royal Institute of Technology, Stockholm, Sweden). 6 1.1 elric * All rights reserved. 7 1.1 elric * 8 1.1 elric * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 1.1 elric * 10 1.1 elric * Redistribution and use in source and binary forms, with or without 11 1.1 elric * modification, are permitted provided that the following conditions 12 1.1 elric * are met: 13 1.1 elric * 14 1.1 elric * 1. Redistributions of source code must retain the above copyright 15 1.1 elric * notice, this list of conditions and the following disclaimer. 16 1.1 elric * 17 1.1 elric * 2. Redistributions in binary form must reproduce the above copyright 18 1.1 elric * notice, this list of conditions and the following disclaimer in the 19 1.1 elric * documentation and/or other materials provided with the distribution. 20 1.1 elric * 21 1.1 elric * 3. Neither the name of the Institute nor the names of its contributors 22 1.1 elric * may be used to endorse or promote products derived from this software 23 1.1 elric * without specific prior written permission. 24 1.1 elric * 25 1.1 elric * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 1.1 elric * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 1.1 elric * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 1.1 elric * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 1.1 elric * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 1.1 elric * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 1.1 elric * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 1.1 elric * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 1.1 elric * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 1.1 elric * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 1.1 elric * SUCH DAMAGE. 36 1.1 elric */ 37 1.1 elric 38 1.1 elric #include "krb5_locl.h" 39 1.1 elric 40 1.1 elric /** 41 1.1 elric * Free ticket and content 42 1.1 elric * 43 1.1 elric * @param context a Kerberos 5 context 44 1.1 elric * @param ticket ticket to free 45 1.1 elric * 46 1.1 elric * @return Returns 0 to indicate success. Otherwise an kerberos et 47 1.1 elric * error code is returned, see krb5_get_error_message(). 48 1.1 elric * 49 1.1 elric * @ingroup krb5 50 1.1 elric */ 51 1.1 elric 52 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 53 1.1 elric krb5_free_ticket(krb5_context context, 54 1.1 elric krb5_ticket *ticket) 55 1.1 elric { 56 1.1 elric free_EncTicketPart(&ticket->ticket); 57 1.1 elric krb5_free_principal(context, ticket->client); 58 1.1 elric krb5_free_principal(context, ticket->server); 59 1.1 elric free(ticket); 60 1.1 elric return 0; 61 1.1 elric } 62 1.1 elric 63 1.1 elric /** 64 1.1 elric * Copy ticket and content 65 1.1 elric * 66 1.1 elric * @param context a Kerberos 5 context 67 1.1 elric * @param from ticket to copy 68 1.1 elric * @param to new copy of ticket, free with krb5_free_ticket() 69 1.1 elric * 70 1.1 elric * @return Returns 0 to indicate success. Otherwise an kerberos et 71 1.1 elric * error code is returned, see krb5_get_error_message(). 72 1.1 elric * 73 1.1 elric * @ingroup krb5 74 1.1 elric */ 75 1.1 elric 76 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 77 1.1 elric krb5_copy_ticket(krb5_context context, 78 1.1 elric const krb5_ticket *from, 79 1.1 elric krb5_ticket **to) 80 1.1 elric { 81 1.1 elric krb5_error_code ret; 82 1.1 elric krb5_ticket *tmp; 83 1.1 elric 84 1.1 elric *to = NULL; 85 1.1 elric tmp = malloc(sizeof(*tmp)); 86 1.2 christos if (tmp == NULL) 87 1.2 christos return krb5_enomem(context); 88 1.1 elric if((ret = copy_EncTicketPart(&from->ticket, &tmp->ticket))){ 89 1.1 elric free(tmp); 90 1.1 elric return ret; 91 1.1 elric } 92 1.1 elric ret = krb5_copy_principal(context, from->client, &tmp->client); 93 1.1 elric if(ret){ 94 1.1 elric free_EncTicketPart(&tmp->ticket); 95 1.1 elric free(tmp); 96 1.1 elric return ret; 97 1.1 elric } 98 1.1 elric ret = krb5_copy_principal(context, from->server, &tmp->server); 99 1.1 elric if(ret){ 100 1.1 elric krb5_free_principal(context, tmp->client); 101 1.1 elric free_EncTicketPart(&tmp->ticket); 102 1.1 elric free(tmp); 103 1.1 elric return ret; 104 1.1 elric } 105 1.1 elric *to = tmp; 106 1.1 elric return 0; 107 1.1 elric } 108 1.1 elric 109 1.1 elric /** 110 1.1 elric * Return client principal in ticket 111 1.1 elric * 112 1.1 elric * @param context a Kerberos 5 context 113 1.1 elric * @param ticket ticket to copy 114 1.1 elric * @param client client principal, free with krb5_free_principal() 115 1.1 elric * 116 1.1 elric * @return Returns 0 to indicate success. Otherwise an kerberos et 117 1.1 elric * error code is returned, see krb5_get_error_message(). 118 1.1 elric * 119 1.1 elric * @ingroup krb5 120 1.1 elric */ 121 1.1 elric 122 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 123 1.1 elric krb5_ticket_get_client(krb5_context context, 124 1.1 elric const krb5_ticket *ticket, 125 1.1 elric krb5_principal *client) 126 1.1 elric { 127 1.1 elric return krb5_copy_principal(context, ticket->client, client); 128 1.1 elric } 129 1.1 elric 130 1.1 elric /** 131 1.1 elric * Return server principal in ticket 132 1.1 elric * 133 1.1 elric * @param context a Kerberos 5 context 134 1.1 elric * @param ticket ticket to copy 135 1.1 elric * @param server server principal, free with krb5_free_principal() 136 1.1 elric * 137 1.1 elric * @return Returns 0 to indicate success. Otherwise an kerberos et 138 1.1 elric * error code is returned, see krb5_get_error_message(). 139 1.1 elric * 140 1.1 elric * @ingroup krb5 141 1.1 elric */ 142 1.1 elric 143 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 144 1.1 elric krb5_ticket_get_server(krb5_context context, 145 1.1 elric const krb5_ticket *ticket, 146 1.1 elric krb5_principal *server) 147 1.1 elric { 148 1.1 elric return krb5_copy_principal(context, ticket->server, server); 149 1.1 elric } 150 1.1 elric 151 1.1 elric /** 152 1.1 elric * Return end time of ticket 153 1.1 elric * 154 1.1 elric * @param context a Kerberos 5 context 155 1.1 elric * @param ticket ticket to copy 156 1.1 elric * 157 1.1 elric * @return end time of ticket 158 1.1 elric * 159 1.1 elric * @ingroup krb5 160 1.1 elric */ 161 1.1 elric 162 1.1 elric KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL 163 1.1 elric krb5_ticket_get_endtime(krb5_context context, 164 1.1 elric const krb5_ticket *ticket) 165 1.1 elric { 166 1.1 elric return ticket->ticket.endtime; 167 1.1 elric } 168 1.1 elric 169 1.1 elric /** 170 1.1 elric * Get the flags from the Kerberos ticket 171 1.1 elric * 172 1.1 elric * @param context Kerberos context 173 1.1 elric * @param ticket Kerberos ticket 174 1.1 elric * 175 1.1 elric * @return ticket flags 176 1.1 elric * 177 1.1 elric * @ingroup krb5_ticket 178 1.1 elric */ 179 1.1 elric KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL 180 1.1 elric krb5_ticket_get_flags(krb5_context context, 181 1.1 elric const krb5_ticket *ticket) 182 1.1 elric { 183 1.1 elric return TicketFlags2int(ticket->ticket.flags); 184 1.1 elric } 185 1.1 elric 186 1.1 elric static int 187 1.1 elric find_type_in_ad(krb5_context context, 188 1.1 elric int type, 189 1.1 elric krb5_data *data, 190 1.1 elric krb5_boolean *found, 191 1.1 elric krb5_boolean failp, 192 1.1 elric krb5_keyblock *sessionkey, 193 1.1 elric const AuthorizationData *ad, 194 1.1 elric int level) 195 1.1 elric { 196 1.1 elric krb5_error_code ret = 0; 197 1.2 christos size_t i; 198 1.1 elric 199 1.1 elric if (level > 9) { 200 1.1 elric ret = ENOENT; /* XXX */ 201 1.1 elric krb5_set_error_message(context, ret, 202 1.1 elric N_("Authorization data nested deeper " 203 1.1 elric "then %d levels, stop searching", ""), 204 1.1 elric level); 205 1.1 elric goto out; 206 1.1 elric } 207 1.1 elric 208 1.1 elric /* 209 1.1 elric * Only copy out the element the first time we get to it, we need 210 1.1 elric * to run over the whole authorization data fields to check if 211 1.1 elric * there are any container clases we need to care about. 212 1.1 elric */ 213 1.1 elric for (i = 0; i < ad->len; i++) { 214 1.1 elric if (!*found && ad->val[i].ad_type == type) { 215 1.1 elric ret = der_copy_octet_string(&ad->val[i].ad_data, data); 216 1.1 elric if (ret) { 217 1.1 elric krb5_set_error_message(context, ret, 218 1.1 elric N_("malloc: out of memory", "")); 219 1.1 elric goto out; 220 1.1 elric } 221 1.1 elric *found = TRUE; 222 1.1 elric continue; 223 1.1 elric } 224 1.1 elric switch (ad->val[i].ad_type) { 225 1.1 elric case KRB5_AUTHDATA_IF_RELEVANT: { 226 1.1 elric AuthorizationData child; 227 1.1 elric ret = decode_AuthorizationData(ad->val[i].ad_data.data, 228 1.1 elric ad->val[i].ad_data.length, 229 1.1 elric &child, 230 1.1 elric NULL); 231 1.1 elric if (ret) { 232 1.1 elric krb5_set_error_message(context, ret, 233 1.1 elric N_("Failed to decode " 234 1.1 elric "IF_RELEVANT with %d", ""), 235 1.1 elric (int)ret); 236 1.1 elric goto out; 237 1.1 elric } 238 1.1 elric ret = find_type_in_ad(context, type, data, found, FALSE, 239 1.1 elric sessionkey, &child, level + 1); 240 1.1 elric free_AuthorizationData(&child); 241 1.1 elric if (ret) 242 1.1 elric goto out; 243 1.1 elric break; 244 1.1 elric } 245 1.1 elric #if 0 /* XXX test */ 246 1.1 elric case KRB5_AUTHDATA_KDC_ISSUED: { 247 1.1 elric AD_KDCIssued child; 248 1.1 elric 249 1.1 elric ret = decode_AD_KDCIssued(ad->val[i].ad_data.data, 250 1.1 elric ad->val[i].ad_data.length, 251 1.1 elric &child, 252 1.1 elric NULL); 253 1.1 elric if (ret) { 254 1.1 elric krb5_set_error_message(context, ret, 255 1.1 elric N_("Failed to decode " 256 1.1 elric "AD_KDCIssued with %d", ""), 257 1.1 elric ret); 258 1.1 elric goto out; 259 1.1 elric } 260 1.1 elric if (failp) { 261 1.1 elric krb5_boolean valid; 262 1.1 elric krb5_data buf; 263 1.1 elric size_t len; 264 1.1 elric 265 1.1 elric ASN1_MALLOC_ENCODE(AuthorizationData, buf.data, buf.length, 266 1.1 elric &child.elements, &len, ret); 267 1.1 elric if (ret) { 268 1.1 elric free_AD_KDCIssued(&child); 269 1.1 elric krb5_clear_error_message(context); 270 1.1 elric goto out; 271 1.1 elric } 272 1.1 elric if(buf.length != len) 273 1.1 elric krb5_abortx(context, "internal error in ASN.1 encoder"); 274 1.1 elric 275 1.1 elric ret = krb5_c_verify_checksum(context, sessionkey, 19, &buf, 276 1.1 elric &child.ad_checksum, &valid); 277 1.1 elric krb5_data_free(&buf); 278 1.1 elric if (ret) { 279 1.1 elric free_AD_KDCIssued(&child); 280 1.1 elric goto out; 281 1.1 elric } 282 1.1 elric if (!valid) { 283 1.1 elric krb5_clear_error_message(context); 284 1.1 elric ret = ENOENT; 285 1.1 elric free_AD_KDCIssued(&child); 286 1.1 elric goto out; 287 1.1 elric } 288 1.1 elric } 289 1.1 elric ret = find_type_in_ad(context, type, data, found, failp, sessionkey, 290 1.1 elric &child.elements, level + 1); 291 1.1 elric free_AD_KDCIssued(&child); 292 1.1 elric if (ret) 293 1.1 elric goto out; 294 1.1 elric break; 295 1.1 elric } 296 1.1 elric #endif 297 1.1 elric case KRB5_AUTHDATA_AND_OR: 298 1.1 elric if (!failp) 299 1.1 elric break; 300 1.1 elric ret = ENOENT; /* XXX */ 301 1.1 elric krb5_set_error_message(context, ret, 302 1.1 elric N_("Authorization data contains " 303 1.1 elric "AND-OR element that is unknown to the " 304 1.1 elric "application", "")); 305 1.1 elric goto out; 306 1.1 elric default: 307 1.1 elric if (!failp) 308 1.1 elric break; 309 1.1 elric ret = ENOENT; /* XXX */ 310 1.1 elric krb5_set_error_message(context, ret, 311 1.1 elric N_("Authorization data contains " 312 1.1 elric "unknown type (%d) ", ""), 313 1.1 elric ad->val[i].ad_type); 314 1.1 elric goto out; 315 1.1 elric } 316 1.1 elric } 317 1.1 elric out: 318 1.1 elric if (ret) { 319 1.1 elric if (*found) { 320 1.1 elric krb5_data_free(data); 321 1.1 elric *found = 0; 322 1.1 elric } 323 1.1 elric } 324 1.1 elric return ret; 325 1.1 elric } 326 1.1 elric 327 1.2 christos KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 328 1.2 christos _krb5_get_ad(krb5_context context, 329 1.2 christos const AuthorizationData *ad, 330 1.2 christos krb5_keyblock *sessionkey, 331 1.2 christos int type, 332 1.2 christos krb5_data *data) 333 1.2 christos { 334 1.2 christos krb5_boolean found = FALSE; 335 1.2 christos krb5_error_code ret; 336 1.2 christos 337 1.2 christos krb5_data_zero(data); 338 1.2 christos 339 1.2 christos if (ad == NULL) { 340 1.2 christos krb5_set_error_message(context, ENOENT, 341 1.2 christos N_("No authorization data", "")); 342 1.2 christos return ENOENT; /* XXX */ 343 1.2 christos } 344 1.2 christos 345 1.2 christos ret = find_type_in_ad(context, type, data, &found, TRUE, sessionkey, ad, 0); 346 1.2 christos if (ret) 347 1.2 christos return ret; 348 1.2 christos if (!found) { 349 1.2 christos krb5_set_error_message(context, ENOENT, 350 1.2 christos N_("Have no authorization data of type %d", ""), 351 1.2 christos type); 352 1.2 christos return ENOENT; /* XXX */ 353 1.2 christos } 354 1.2 christos return 0; 355 1.2 christos } 356 1.2 christos 357 1.2 christos 358 1.1 elric /** 359 1.1 elric * Extract the authorization data type of type from the ticket. Store 360 1.1 elric * the field in data. This function is to use for kerberos 361 1.1 elric * applications. 362 1.1 elric * 363 1.1 elric * @param context a Kerberos 5 context 364 1.1 elric * @param ticket Kerberos ticket 365 1.1 elric * @param type type to fetch 366 1.1 elric * @param data returned data, free with krb5_data_free() 367 1.1 elric * 368 1.1 elric * @ingroup krb5 369 1.1 elric */ 370 1.1 elric 371 1.1 elric KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL 372 1.1 elric krb5_ticket_get_authorization_data_type(krb5_context context, 373 1.1 elric krb5_ticket *ticket, 374 1.1 elric int type, 375 1.1 elric krb5_data *data) 376 1.1 elric { 377 1.1 elric AuthorizationData *ad; 378 1.1 elric krb5_error_code ret; 379 1.1 elric krb5_boolean found = FALSE; 380 1.1 elric 381 1.1 elric krb5_data_zero(data); 382 1.1 elric 383 1.1 elric ad = ticket->ticket.authorization_data; 384 1.1 elric if (ticket->ticket.authorization_data == NULL) { 385 1.1 elric krb5_set_error_message(context, ENOENT, 386 1.1 elric N_("Ticket have not authorization data", "")); 387 1.1 elric return ENOENT; /* XXX */ 388 1.1 elric } 389 1.1 elric 390 1.1 elric ret = find_type_in_ad(context, type, data, &found, TRUE, 391 1.1 elric &ticket->ticket.key, ad, 0); 392 1.1 elric if (ret) 393 1.1 elric return ret; 394 1.1 elric if (!found) { 395 1.1 elric krb5_set_error_message(context, ENOENT, 396 1.1 elric N_("Ticket have not " 397 1.1 elric "authorization data of type %d", ""), 398 1.1 elric type); 399 1.1 elric return ENOENT; /* XXX */ 400 1.1 elric } 401 1.1 elric return 0; 402 1.1 elric } 403 1.1 elric 404 1.1 elric static krb5_error_code 405 1.1 elric check_server_referral(krb5_context context, 406 1.1 elric krb5_kdc_rep *rep, 407 1.1 elric unsigned flags, 408 1.1 elric krb5_const_principal requested, 409 1.1 elric krb5_const_principal returned, 410 1.1 elric krb5_keyblock * key) 411 1.1 elric { 412 1.1 elric krb5_error_code ret; 413 1.1 elric PA_ServerReferralData ref; 414 1.1 elric krb5_crypto session; 415 1.1 elric EncryptedData ed; 416 1.1 elric size_t len; 417 1.1 elric krb5_data data; 418 1.1 elric PA_DATA *pa; 419 1.1 elric int i = 0, cmp; 420 1.1 elric 421 1.1 elric if (rep->kdc_rep.padata == NULL) 422 1.1 elric goto noreferral; 423 1.1 elric 424 1.1 elric pa = krb5_find_padata(rep->kdc_rep.padata->val, 425 1.1 elric rep->kdc_rep.padata->len, 426 1.1 elric KRB5_PADATA_SERVER_REFERRAL, &i); 427 1.1 elric if (pa == NULL) 428 1.1 elric goto noreferral; 429 1.1 elric 430 1.1 elric memset(&ed, 0, sizeof(ed)); 431 1.1 elric memset(&ref, 0, sizeof(ref)); 432 1.1 elric 433 1.1 elric ret = decode_EncryptedData(pa->padata_value.data, 434 1.1 elric pa->padata_value.length, 435 1.1 elric &ed, &len); 436 1.1 elric if (ret) 437 1.1 elric return ret; 438 1.1 elric if (len != pa->padata_value.length) { 439 1.1 elric free_EncryptedData(&ed); 440 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 441 1.1 elric N_("Referral EncryptedData wrong for realm %s", 442 1.1 elric "realm"), requested->realm); 443 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 444 1.1 elric } 445 1.1 elric 446 1.1 elric ret = krb5_crypto_init(context, key, 0, &session); 447 1.1 elric if (ret) { 448 1.1 elric free_EncryptedData(&ed); 449 1.1 elric return ret; 450 1.1 elric } 451 1.1 elric 452 1.1 elric ret = krb5_decrypt_EncryptedData(context, session, 453 1.1 elric KRB5_KU_PA_SERVER_REFERRAL, 454 1.1 elric &ed, &data); 455 1.1 elric free_EncryptedData(&ed); 456 1.1 elric krb5_crypto_destroy(context, session); 457 1.1 elric if (ret) 458 1.1 elric return ret; 459 1.1 elric 460 1.1 elric ret = decode_PA_ServerReferralData(data.data, data.length, &ref, &len); 461 1.1 elric if (ret) { 462 1.1 elric krb5_data_free(&data); 463 1.1 elric return ret; 464 1.1 elric } 465 1.1 elric krb5_data_free(&data); 466 1.1 elric 467 1.1 elric if (strcmp(requested->realm, returned->realm) != 0) { 468 1.1 elric free_PA_ServerReferralData(&ref); 469 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 470 1.1 elric N_("server ref realm mismatch, " 471 1.1 elric "requested realm %s got back %s", ""), 472 1.1 elric requested->realm, returned->realm); 473 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 474 1.1 elric } 475 1.1 elric 476 1.1 elric if (krb5_principal_is_krbtgt(context, returned)) { 477 1.1 elric const char *realm = returned->name.name_string.val[1]; 478 1.1 elric 479 1.1 elric if (ref.referred_realm == NULL 480 1.1 elric || strcmp(*ref.referred_realm, realm) != 0) 481 1.1 elric { 482 1.1 elric free_PA_ServerReferralData(&ref); 483 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 484 1.1 elric N_("tgt returned with wrong ref", "")); 485 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 486 1.1 elric } 487 1.1 elric } else if (krb5_principal_compare(context, returned, requested) == 0) { 488 1.1 elric free_PA_ServerReferralData(&ref); 489 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 490 1.1 elric N_("req princ no same as returned", "")); 491 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 492 1.1 elric } 493 1.1 elric 494 1.1 elric if (ref.requested_principal_name) { 495 1.1 elric cmp = _krb5_principal_compare_PrincipalName(context, 496 1.1 elric requested, 497 1.1 elric ref.requested_principal_name); 498 1.1 elric if (!cmp) { 499 1.1 elric free_PA_ServerReferralData(&ref); 500 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 501 1.1 elric N_("referred principal not same " 502 1.1 elric "as requested", "")); 503 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 504 1.1 elric } 505 1.1 elric } else if (flags & EXTRACT_TICKET_AS_REQ) { 506 1.1 elric free_PA_ServerReferralData(&ref); 507 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 508 1.1 elric N_("Requested principal missing on AS-REQ", "")); 509 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 510 1.1 elric } 511 1.1 elric 512 1.1 elric free_PA_ServerReferralData(&ref); 513 1.1 elric 514 1.1 elric return ret; 515 1.1 elric noreferral: 516 1.1 elric /* 517 1.1 elric * Expect excact match or that we got a krbtgt 518 1.1 elric */ 519 1.1 elric if (krb5_principal_compare(context, requested, returned) != TRUE && 520 1.1 elric (krb5_realm_compare(context, requested, returned) != TRUE && 521 1.1 elric krb5_principal_is_krbtgt(context, returned) != TRUE)) 522 1.1 elric { 523 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 524 1.1 elric N_("Not same server principal returned " 525 1.1 elric "as requested", "")); 526 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 527 1.1 elric } 528 1.1 elric return 0; 529 1.1 elric } 530 1.1 elric 531 1.1 elric 532 1.1 elric /* 533 1.1 elric * Verify referral data 534 1.1 elric */ 535 1.1 elric 536 1.1 elric 537 1.1 elric static krb5_error_code 538 1.1 elric check_client_referral(krb5_context context, 539 1.1 elric krb5_kdc_rep *rep, 540 1.1 elric krb5_const_principal requested, 541 1.1 elric krb5_const_principal mapped, 542 1.1 elric krb5_keyblock const * key) 543 1.1 elric { 544 1.2 christos if (krb5_principal_compare(context, requested, mapped) == FALSE && 545 1.2 christos !rep->enc_part.flags.enc_pa_rep) 546 1.1 elric { 547 1.1 elric krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, 548 1.1 elric N_("Not same client principal returned " 549 1.1 elric "as requested", "")); 550 1.1 elric return KRB5KRB_AP_ERR_MODIFIED; 551 1.1 elric } 552 1.1 elric return 0; 553 1.1 elric } 554 1.1 elric 555 1.1 elric 556 1.1 elric static krb5_error_code KRB5_CALLCONV 557 1.1 elric decrypt_tkt (krb5_context context, 558 1.1 elric krb5_keyblock *key, 559 1.1 elric krb5_key_usage usage, 560 1.1 elric krb5_const_pointer decrypt_arg, 561 1.1 elric krb5_kdc_rep *dec_rep) 562 1.1 elric { 563 1.1 elric krb5_error_code ret; 564 1.1 elric krb5_data data; 565 1.1 elric size_t size; 566 1.1 elric krb5_crypto crypto; 567 1.1 elric 568 1.1 elric ret = krb5_crypto_init(context, key, 0, &crypto); 569 1.1 elric if (ret) 570 1.1 elric return ret; 571 1.1 elric 572 1.1 elric ret = krb5_decrypt_EncryptedData (context, 573 1.1 elric crypto, 574 1.1 elric usage, 575 1.1 elric &dec_rep->kdc_rep.enc_part, 576 1.1 elric &data); 577 1.1 elric krb5_crypto_destroy(context, crypto); 578 1.1 elric 579 1.1 elric if (ret) 580 1.1 elric return ret; 581 1.1 elric 582 1.1 elric ret = decode_EncASRepPart(data.data, 583 1.1 elric data.length, 584 1.1 elric &dec_rep->enc_part, 585 1.1 elric &size); 586 1.1 elric if (ret) 587 1.1 elric ret = decode_EncTGSRepPart(data.data, 588 1.1 elric data.length, 589 1.1 elric &dec_rep->enc_part, 590 1.1 elric &size); 591 1.1 elric krb5_data_free (&data); 592 1.1 elric if (ret) { 593 1.2 christos krb5_set_error_message(context, ret, 594 1.1 elric N_("Failed to decode encpart in ticket", "")); 595 1.1 elric return ret; 596 1.1 elric } 597 1.1 elric return 0; 598 1.1 elric } 599 1.1 elric 600 1.2 christos KRB5_LIB_FUNCTION int KRB5_LIB_CALL 601 1.1 elric _krb5_extract_ticket(krb5_context context, 602 1.1 elric krb5_kdc_rep *rep, 603 1.1 elric krb5_creds *creds, 604 1.1 elric krb5_keyblock *key, 605 1.1 elric krb5_const_pointer keyseed, 606 1.1 elric krb5_key_usage key_usage, 607 1.1 elric krb5_addresses *addrs, 608 1.1 elric unsigned nonce, 609 1.1 elric unsigned flags, 610 1.2 christos krb5_data *request, 611 1.1 elric krb5_decrypt_proc decrypt_proc, 612 1.1 elric krb5_const_pointer decryptarg) 613 1.1 elric { 614 1.1 elric krb5_error_code ret; 615 1.1 elric krb5_principal tmp_principal; 616 1.2 christos size_t len = 0; 617 1.1 elric time_t tmp_time; 618 1.1 elric krb5_timestamp sec_now; 619 1.1 elric 620 1.1 elric /* decrypt */ 621 1.1 elric 622 1.1 elric if (decrypt_proc == NULL) 623 1.1 elric decrypt_proc = decrypt_tkt; 624 1.1 elric 625 1.1 elric ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep); 626 1.1 elric if (ret) 627 1.1 elric goto out; 628 1.1 elric 629 1.2 christos if (rep->enc_part.flags.enc_pa_rep && request) { 630 1.2 christos krb5_crypto crypto = NULL; 631 1.2 christos Checksum cksum; 632 1.2 christos PA_DATA *pa = NULL; 633 1.2 christos int idx = 0; 634 1.2 christos 635 1.2 christos _krb5_debug(context, 5, "processing enc-ap-rep"); 636 1.2 christos 637 1.2 christos if (rep->enc_part.encrypted_pa_data == NULL || 638 1.2 christos (pa = krb5_find_padata(rep->enc_part.encrypted_pa_data->val, 639 1.2 christos rep->enc_part.encrypted_pa_data->len, 640 1.2 christos KRB5_PADATA_REQ_ENC_PA_REP, 641 1.2 christos &idx)) == NULL) 642 1.2 christos { 643 1.2 christos _krb5_debug(context, 5, "KRB5_PADATA_REQ_ENC_PA_REP missing"); 644 1.2 christos ret = KRB5KRB_AP_ERR_MODIFIED; 645 1.2 christos goto out; 646 1.2 christos } 647 1.2 christos 648 1.2 christos ret = krb5_crypto_init(context, key, 0, &crypto); 649 1.2 christos if (ret) 650 1.2 christos goto out; 651 1.2 christos 652 1.2 christos ret = decode_Checksum(pa->padata_value.data, 653 1.2 christos pa->padata_value.length, 654 1.2 christos &cksum, NULL); 655 1.2 christos if (ret) { 656 1.2 christos krb5_crypto_destroy(context, crypto); 657 1.2 christos goto out; 658 1.2 christos } 659 1.2 christos 660 1.2 christos ret = krb5_verify_checksum(context, crypto, 661 1.2 christos KRB5_KU_AS_REQ, 662 1.2 christos request->data, request->length, 663 1.2 christos &cksum); 664 1.2 christos krb5_crypto_destroy(context, crypto); 665 1.2 christos free_Checksum(&cksum); 666 1.2 christos _krb5_debug(context, 5, "enc-ap-rep: %svalid", (ret == 0) ? "" : "in"); 667 1.2 christos if (ret) 668 1.2 christos goto out; 669 1.2 christos } 670 1.2 christos 671 1.1 elric /* save session key */ 672 1.1 elric 673 1.1 elric creds->session.keyvalue.length = 0; 674 1.1 elric creds->session.keyvalue.data = NULL; 675 1.1 elric creds->session.keytype = rep->enc_part.key.keytype; 676 1.1 elric ret = krb5_data_copy (&creds->session.keyvalue, 677 1.1 elric rep->enc_part.key.keyvalue.data, 678 1.1 elric rep->enc_part.key.keyvalue.length); 679 1.1 elric if (ret) { 680 1.1 elric krb5_clear_error_message(context); 681 1.1 elric goto out; 682 1.1 elric } 683 1.1 elric 684 1.1 elric /* compare client and save */ 685 1.2 christos ret = _krb5_principalname2krb5_principal(context, 686 1.2 christos &tmp_principal, 687 1.2 christos rep->kdc_rep.cname, 688 1.2 christos rep->kdc_rep.crealm); 689 1.1 elric if (ret) 690 1.1 elric goto out; 691 1.1 elric 692 1.1 elric /* check client referral and save principal */ 693 1.1 elric /* anonymous here ? */ 694 1.1 elric if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) { 695 1.1 elric ret = check_client_referral(context, rep, 696 1.1 elric creds->client, 697 1.1 elric tmp_principal, 698 1.1 elric &creds->session); 699 1.1 elric if (ret) { 700 1.1 elric krb5_free_principal (context, tmp_principal); 701 1.1 elric goto out; 702 1.1 elric } 703 1.1 elric } 704 1.1 elric krb5_free_principal (context, creds->client); 705 1.1 elric creds->client = tmp_principal; 706 1.1 elric 707 1.1 elric /* check server referral and save principal */ 708 1.1 elric ret = _krb5_principalname2krb5_principal (context, 709 1.1 elric &tmp_principal, 710 1.1 elric rep->kdc_rep.ticket.sname, 711 1.1 elric rep->kdc_rep.ticket.realm); 712 1.1 elric if (ret) 713 1.1 elric goto out; 714 1.1 elric if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ 715 1.1 elric ret = check_server_referral(context, 716 1.1 elric rep, 717 1.1 elric flags, 718 1.1 elric creds->server, 719 1.1 elric tmp_principal, 720 1.1 elric &creds->session); 721 1.1 elric if (ret) { 722 1.1 elric krb5_free_principal (context, tmp_principal); 723 1.1 elric goto out; 724 1.1 elric } 725 1.1 elric } 726 1.1 elric krb5_free_principal(context, creds->server); 727 1.1 elric creds->server = tmp_principal; 728 1.1 elric 729 1.1 elric /* verify names */ 730 1.1 elric if(flags & EXTRACT_TICKET_MATCH_REALM){ 731 1.1 elric const char *srealm = krb5_principal_get_realm(context, creds->server); 732 1.1 elric const char *crealm = krb5_principal_get_realm(context, creds->client); 733 1.1 elric 734 1.1 elric if (strcmp(rep->enc_part.srealm, srealm) != 0 || 735 1.1 elric strcmp(rep->enc_part.srealm, crealm) != 0) 736 1.1 elric { 737 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 738 1.1 elric krb5_clear_error_message(context); 739 1.1 elric goto out; 740 1.1 elric } 741 1.1 elric } 742 1.1 elric 743 1.1 elric /* compare nonces */ 744 1.1 elric 745 1.2 christos if (nonce != (unsigned)rep->enc_part.nonce) { 746 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 747 1.1 elric krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); 748 1.1 elric goto out; 749 1.1 elric } 750 1.1 elric 751 1.1 elric /* set kdc-offset */ 752 1.1 elric 753 1.1 elric krb5_timeofday (context, &sec_now); 754 1.1 elric if (rep->enc_part.flags.initial 755 1.1 elric && (flags & EXTRACT_TICKET_TIMESYNC) 756 1.1 elric && context->kdc_sec_offset == 0 757 1.1 elric && krb5_config_get_bool (context, NULL, 758 1.1 elric "libdefaults", 759 1.1 elric "kdc_timesync", 760 1.1 elric NULL)) { 761 1.1 elric context->kdc_sec_offset = rep->enc_part.authtime - sec_now; 762 1.1 elric krb5_timeofday (context, &sec_now); 763 1.1 elric } 764 1.1 elric 765 1.1 elric /* check all times */ 766 1.1 elric 767 1.1 elric if (rep->enc_part.starttime) { 768 1.1 elric tmp_time = *rep->enc_part.starttime; 769 1.1 elric } else 770 1.1 elric tmp_time = rep->enc_part.authtime; 771 1.1 elric 772 1.1 elric if (creds->times.starttime == 0 773 1.2 christos && labs(tmp_time - sec_now) > context->max_skew) { 774 1.1 elric ret = KRB5KRB_AP_ERR_SKEW; 775 1.1 elric krb5_set_error_message (context, ret, 776 1.2 christos N_("time skew (%ld) larger than max (%ld)", ""), 777 1.2 christos labs(tmp_time - sec_now), 778 1.2 christos (long)context->max_skew); 779 1.1 elric goto out; 780 1.1 elric } 781 1.1 elric 782 1.1 elric if (creds->times.starttime != 0 783 1.1 elric && tmp_time != creds->times.starttime) { 784 1.1 elric krb5_clear_error_message (context); 785 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 786 1.1 elric goto out; 787 1.1 elric } 788 1.1 elric 789 1.1 elric creds->times.starttime = tmp_time; 790 1.1 elric 791 1.1 elric if (rep->enc_part.renew_till) { 792 1.1 elric tmp_time = *rep->enc_part.renew_till; 793 1.1 elric } else 794 1.1 elric tmp_time = 0; 795 1.1 elric 796 1.1 elric if (creds->times.renew_till != 0 797 1.1 elric && tmp_time > creds->times.renew_till) { 798 1.1 elric krb5_clear_error_message (context); 799 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 800 1.1 elric goto out; 801 1.1 elric } 802 1.1 elric 803 1.1 elric creds->times.renew_till = tmp_time; 804 1.1 elric 805 1.1 elric creds->times.authtime = rep->enc_part.authtime; 806 1.1 elric 807 1.1 elric if (creds->times.endtime != 0 808 1.1 elric && rep->enc_part.endtime > creds->times.endtime) { 809 1.1 elric krb5_clear_error_message (context); 810 1.1 elric ret = KRB5KRB_AP_ERR_MODIFIED; 811 1.1 elric goto out; 812 1.1 elric } 813 1.1 elric 814 1.1 elric creds->times.endtime = rep->enc_part.endtime; 815 1.1 elric 816 1.1 elric if(rep->enc_part.caddr) 817 1.1 elric krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses); 818 1.1 elric else if(addrs) 819 1.1 elric krb5_copy_addresses (context, addrs, &creds->addresses); 820 1.1 elric else { 821 1.1 elric creds->addresses.len = 0; 822 1.1 elric creds->addresses.val = NULL; 823 1.1 elric } 824 1.1 elric creds->flags.b = rep->enc_part.flags; 825 1.2 christos 826 1.1 elric creds->authdata.len = 0; 827 1.1 elric creds->authdata.val = NULL; 828 1.1 elric 829 1.1 elric /* extract ticket */ 830 1.1 elric ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, 831 1.1 elric &rep->kdc_rep.ticket, &len, ret); 832 1.1 elric if(ret) 833 1.1 elric goto out; 834 1.1 elric if (creds->ticket.length != len) 835 1.1 elric krb5_abortx(context, "internal error in ASN.1 encoder"); 836 1.1 elric creds->second_ticket.length = 0; 837 1.1 elric creds->second_ticket.data = NULL; 838 1.1 elric 839 1.1 elric 840 1.1 elric out: 841 1.1 elric memset (rep->enc_part.key.keyvalue.data, 0, 842 1.1 elric rep->enc_part.key.keyvalue.length); 843 1.1 elric return ret; 844 1.1 elric } 845
Indexes created Sun Mar 01 05:31:48 UTC 2026