root/source4/heimdal/lib/krb5/rd_cred.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. compare_addrs
  2. krb5_rd_cred
  3. krb5_rd_cred2

   1 /*
   2  * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33 
  34 #include <krb5_locl.h>
  35 
  36 RCSID("$Id$");
  37 
  38 static krb5_error_code
  39 compare_addrs(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  40               krb5_address *a,
  41               krb5_address *b,
  42               const char *message)
  43 {
  44     char a_str[64], b_str[64];
  45     size_t len;
  46 
  47     if(krb5_address_compare (context, a, b))
  48         return 0;
  49 
  50     krb5_print_address (a, a_str, sizeof(a_str), &len);
  51     krb5_print_address (b, b_str, sizeof(b_str), &len);
  52     krb5_set_error_message(context, KRB5KRB_AP_ERR_BADADDR,
  53                            "%s: %s != %s", message, b_str, a_str);
  54     return KRB5KRB_AP_ERR_BADADDR;
  55 }
  56 
  57 krb5_error_code KRB5_LIB_FUNCTION
  58 krb5_rd_cred(krb5_context context,
     /* [<][>][^][v][top][bottom][index][help] */
  59              krb5_auth_context auth_context,
  60              krb5_data *in_data,
  61              krb5_creds ***ret_creds,
  62              krb5_replay_data *outdata)
  63 {
  64     krb5_error_code ret;
  65     size_t len;
  66     KRB_CRED cred;
  67     EncKrbCredPart enc_krb_cred_part;
  68     krb5_data enc_krb_cred_part_data;
  69     krb5_crypto crypto;
  70     int i;
  71 
  72     memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
  73 
  74     if ((auth_context->flags &
  75          (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
  76         outdata == NULL)
  77         return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
  78 
  79     *ret_creds = NULL;
  80 
  81     ret = decode_KRB_CRED(in_data->data, in_data->length,
  82                           &cred, &len);
  83     if(ret) {
  84         krb5_clear_error_message(context);
  85         return ret;
  86     }
  87 
  88     if (cred.pvno != 5) {
  89         ret = KRB5KRB_AP_ERR_BADVERSION;
  90         krb5_clear_error_message (context);
  91         goto out;
  92     }
  93 
  94     if (cred.msg_type != krb_cred) {
  95         ret = KRB5KRB_AP_ERR_MSG_TYPE;
  96         krb5_clear_error_message (context);
  97         goto out;
  98     }
  99 
 100     if (cred.enc_part.etype == ETYPE_NULL) {
 101         /* DK: MIT GSS-API Compatibility */
 102         enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
 103         enc_krb_cred_part_data.data   = cred.enc_part.cipher.data;
 104     } else {
 105         /* Try both subkey and session key.
 106          *
 107          * RFC4120 claims we should use the session key, but Heimdal
 108          * before 0.8 used the remote subkey if it was send in the
 109          * auth_context.
 110          */
 111 
 112         if (auth_context->remote_subkey) {
 113             ret = krb5_crypto_init(context, auth_context->remote_subkey,
 114                                    0, &crypto);
 115             if (ret)
 116                 goto out;
 117 
 118             ret = krb5_decrypt_EncryptedData(context,
 119                                              crypto,
 120                                              KRB5_KU_KRB_CRED,
 121                                              &cred.enc_part,
 122                                              &enc_krb_cred_part_data);
 123         
 124             krb5_crypto_destroy(context, crypto);
 125         }
 126 
 127         /*
 128          * If there was not subkey, or we failed using subkey,
 129          * retry using the session key
 130          */
 131         if (auth_context->remote_subkey == NULL || ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
 132         {
 133 
 134             ret = krb5_crypto_init(context, auth_context->keyblock,
 135                                    0, &crypto);
 136 
 137             if (ret)
 138                 goto out;
 139         
 140             ret = krb5_decrypt_EncryptedData(context,
 141                                              crypto,
 142                                              KRB5_KU_KRB_CRED,
 143                                              &cred.enc_part,
 144                                              &enc_krb_cred_part_data);
 145         
 146             krb5_crypto_destroy(context, crypto);
 147         }
 148         if (ret)
 149             goto out;
 150     }
 151 
 152     ret = krb5_decode_EncKrbCredPart (context,
 153                                       enc_krb_cred_part_data.data,
 154                                       enc_krb_cred_part_data.length,
 155                                       &enc_krb_cred_part,
 156                                       &len);
 157     if (enc_krb_cred_part_data.data != cred.enc_part.cipher.data)
 158         krb5_data_free(&enc_krb_cred_part_data);
 159     if (ret)
 160         goto out;
 161 
 162     /* check sender address */
 163 
 164     if (enc_krb_cred_part.s_address
 165         && auth_context->remote_address
 166         && auth_context->remote_port) {
 167         krb5_address *a;
 168 
 169         ret = krb5_make_addrport (context, &a,
 170                                   auth_context->remote_address,
 171                                   auth_context->remote_port);
 172         if (ret)
 173             goto out;
 174 
 175 
 176         ret = compare_addrs(context, a, enc_krb_cred_part.s_address,
 177                             N_("sender address is wrong "
 178                                "in received creds", ""));
 179         krb5_free_address(context, a);
 180         free(a);
 181         if(ret)
 182             goto out;
 183     }
 184 
 185     /* check receiver address */
 186 
 187     if (enc_krb_cred_part.r_address
 188         && auth_context->local_address) {
 189         if(auth_context->local_port &&
 190            enc_krb_cred_part.r_address->addr_type == KRB5_ADDRESS_ADDRPORT) {
 191             krb5_address *a;
 192             ret = krb5_make_addrport (context, &a,
 193                                       auth_context->local_address,
 194                                       auth_context->local_port);
 195             if (ret)
 196                 goto out;
 197         
 198             ret = compare_addrs(context, a, enc_krb_cred_part.r_address,
 199                                 N_("receiver address is wrong "
 200                                    "in received creds", ""));
 201             krb5_free_address(context, a);
 202             free(a);
 203             if(ret)
 204                 goto out;
 205         } else {
 206             ret = compare_addrs(context, auth_context->local_address,
 207                                 enc_krb_cred_part.r_address,
 208                                 N_("receiver address is wrong "
 209                                    "in received creds", ""));
 210             if(ret)
 211                 goto out;
 212         }
 213     }
 214 
 215     /* check timestamp */
 216     if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
 217         krb5_timestamp sec;
 218 
 219         krb5_timeofday (context, &sec);
 220 
 221         if (enc_krb_cred_part.timestamp == NULL ||
 222             enc_krb_cred_part.usec      == NULL ||
 223             abs(*enc_krb_cred_part.timestamp - sec)
 224             > context->max_skew) {
 225             krb5_clear_error_message (context);
 226             ret = KRB5KRB_AP_ERR_SKEW;
 227             goto out;
 228         }
 229     }
 230 
 231     if ((auth_context->flags &
 232          (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE))) {
 233         /* if these fields are not present in the cred-part, silently
 234            return zero */
 235         memset(outdata, 0, sizeof(*outdata));
 236         if(enc_krb_cred_part.timestamp)
 237             outdata->timestamp = *enc_krb_cred_part.timestamp;
 238         if(enc_krb_cred_part.usec)
 239             outdata->usec = *enc_krb_cred_part.usec;
 240         if(enc_krb_cred_part.nonce)
 241             outdata->seq = *enc_krb_cred_part.nonce;
 242     }
 243 
 244     /* Convert to NULL terminated list of creds */
 245 
 246     *ret_creds = calloc(enc_krb_cred_part.ticket_info.len + 1,
 247                         sizeof(**ret_creds));
 248 
 249     if (*ret_creds == NULL) {
 250         ret = ENOMEM;
 251         krb5_set_error_message(context, ret,
 252                                N_("malloc: out of memory", ""));
 253         goto out;
 254     }
 255 
 256     for (i = 0; i < enc_krb_cred_part.ticket_info.len; ++i) {
 257         KrbCredInfo *kci = &enc_krb_cred_part.ticket_info.val[i];
 258         krb5_creds *creds;
 259 
 260         creds = calloc(1, sizeof(*creds));
 261         if(creds == NULL) {
 262             ret = ENOMEM;
 263             krb5_set_error_message(context, ret,
 264                                    N_("malloc: out of memory", ""));
 265             goto out;
 266         }
 267 
 268         ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length,
 269                            &cred.tickets.val[i], &len, ret);
 270         if (ret) {
 271             free(creds);
 272             goto out;
 273         }
 274         if(creds->ticket.length != len)
 275             krb5_abortx(context, "internal error in ASN.1 encoder");
 276         copy_EncryptionKey (&kci->key, &creds->session);
 277         if (kci->prealm && kci->pname)
 278             _krb5_principalname2krb5_principal (context,
 279                                                 &creds->client,
 280                                                 *kci->pname,
 281                                                 *kci->prealm);
 282         if (kci->flags)
 283             creds->flags.b = *kci->flags;
 284         if (kci->authtime)
 285             creds->times.authtime = *kci->authtime;
 286         if (kci->starttime)
 287             creds->times.starttime = *kci->starttime;
 288         if (kci->endtime)
 289             creds->times.endtime = *kci->endtime;
 290         if (kci->renew_till)
 291             creds->times.renew_till = *kci->renew_till;
 292         if (kci->srealm && kci->sname)
 293             _krb5_principalname2krb5_principal (context,
 294                                                 &creds->server,
 295                                                 *kci->sname,
 296                                                 *kci->srealm);
 297         if (kci->caddr)
 298             krb5_copy_addresses (context,
 299                                  kci->caddr,
 300                                  &creds->addresses);
 301         
 302         (*ret_creds)[i] = creds;
 303         
 304     }
 305     (*ret_creds)[i] = NULL;
 306 
 307     free_KRB_CRED (&cred);
 308     free_EncKrbCredPart(&enc_krb_cred_part);
 309 
 310     return 0;
 311 
 312   out:
 313     free_EncKrbCredPart(&enc_krb_cred_part);
 314     free_KRB_CRED (&cred);
 315     if(*ret_creds) {
 316         for(i = 0; (*ret_creds)[i]; i++)
 317             krb5_free_creds(context, (*ret_creds)[i]);
 318         free(*ret_creds);
 319         *ret_creds = NULL;
 320     }
 321     return ret;
 322 }
 323 
 324 krb5_error_code KRB5_LIB_FUNCTION
 325 krb5_rd_cred2 (krb5_context      context,
     /* [<][>][^][v][top][bottom][index][help] */
 326                krb5_auth_context auth_context,
 327                krb5_ccache       ccache,
 328                krb5_data         *in_data)
 329 {
 330     krb5_error_code ret;
 331     krb5_creds **creds;
 332     int i;
 333 
 334     ret = krb5_rd_cred(context, auth_context, in_data, &creds, NULL);
 335     if(ret)
 336         return ret;
 337 
 338     /* Store the creds in the ccache */
 339 
 340     for(i = 0; creds && creds[i]; i++) {
 341         krb5_cc_store_cred(context, ccache, creds[i]);
 342         krb5_free_creds(context, creds[i]);
 343     }
 344     free(creds);
 345     return 0;
 346 }

/* [<][>][^][v][top][bottom][index][help] */