Line data Source code
1 : /*
2 : * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 : * (Royal Institute of Technology, Stockholm, Sweden).
4 : * All rights reserved.
5 : *
6 : * Redistribution and use in source and binary forms, with or without
7 : * modification, are permitted provided that the following conditions
8 : * are met:
9 : *
10 : * 1. Redistributions of source code must retain the above copyright
11 : * notice, this list of conditions and the following disclaimer.
12 : *
13 : * 2. Redistributions in binary form must reproduce the above copyright
14 : * notice, this list of conditions and the following disclaimer in the
15 : * documentation and/or other materials provided with the distribution.
16 : *
17 : * 3. Neither the name of the Institute nor the names of its contributors
18 : * may be used to endorse or promote products derived from this software
19 : * without specific prior written permission.
20 : *
21 : * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 : * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 : * SUCH DAMAGE.
32 : */
33 :
34 : #define KRB5_DEPRECATED_FUNCTION(x)
35 :
36 : #include "krb5_locl.h"
37 :
38 : #ifndef HEIMDAL_SMALLER
39 :
40 : static krb5_error_code
41 0 : make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
42 : krb5_enctype etype, krb5_keyblock *key)
43 : {
44 0 : PA_ENC_TS_ENC p;
45 0 : unsigned char *buf;
46 0 : size_t buf_size;
47 0 : size_t len = 0;
48 0 : EncryptedData encdata;
49 0 : krb5_error_code ret;
50 0 : int32_t usec;
51 0 : int usec2;
52 0 : krb5_crypto crypto;
53 :
54 0 : krb5_us_timeofday (context, &p.patimestamp, &usec);
55 0 : usec2 = usec;
56 0 : p.pausec = &usec2;
57 :
58 0 : ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
59 0 : if (ret)
60 0 : return ret;
61 0 : if(buf_size != len)
62 0 : krb5_abortx(context, "internal error in ASN.1 encoder");
63 0 : ret = krb5_crypto_init(context, key, 0, &crypto);
64 0 : if (ret) {
65 0 : free(buf);
66 0 : return ret;
67 : }
68 0 : ret = krb5_encrypt_EncryptedData(context,
69 : crypto,
70 : KRB5_KU_PA_ENC_TIMESTAMP,
71 : buf,
72 : len,
73 : 0,
74 : &encdata);
75 0 : free(buf);
76 0 : krb5_crypto_destroy(context, crypto);
77 0 : if (ret)
78 0 : return ret;
79 :
80 0 : ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
81 0 : free_EncryptedData(&encdata);
82 0 : if (ret)
83 0 : return ret;
84 0 : if(buf_size != len)
85 0 : krb5_abortx(context, "internal error in ASN.1 encoder");
86 0 : pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
87 0 : pa->padata_value.length = len;
88 0 : pa->padata_value.data = buf;
89 0 : return 0;
90 : }
91 :
92 : static krb5_error_code
93 0 : add_padata(krb5_context context,
94 : METHOD_DATA *md,
95 : krb5_principal client,
96 : krb5_key_proc key_proc,
97 : krb5_const_pointer keyseed,
98 : krb5_enctype *enctypes,
99 : unsigned netypes,
100 : krb5_salt *salt)
101 : {
102 0 : krb5_error_code ret;
103 0 : PA_DATA *pa2;
104 0 : krb5_salt salt2;
105 0 : krb5_enctype *ep;
106 0 : size_t i;
107 :
108 0 : if(salt == NULL) {
109 : /* default to standard salt */
110 0 : ret = krb5_get_pw_salt (context, client, &salt2);
111 0 : if (ret)
112 0 : return ret;
113 0 : salt = &salt2;
114 : }
115 0 : if (!enctypes) {
116 0 : enctypes = context->etypes;
117 0 : netypes = 0;
118 0 : for (ep = enctypes; *ep != ETYPE_NULL; ep++)
119 0 : netypes++;
120 : }
121 0 : pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val));
122 0 : if (pa2 == NULL)
123 0 : return krb5_enomem(context);
124 0 : md->val = pa2;
125 :
126 0 : for (i = 0; i < netypes; ++i) {
127 0 : krb5_keyblock *key;
128 :
129 0 : ret = (*key_proc)(context, enctypes[i], *salt, keyseed, &key);
130 0 : if (ret)
131 0 : continue;
132 0 : ret = make_pa_enc_timestamp (context, &md->val[md->len],
133 0 : enctypes[i], key);
134 0 : krb5_free_keyblock (context, key);
135 0 : if (ret)
136 0 : return ret;
137 0 : ++md->len;
138 : }
139 0 : if(salt == &salt2)
140 0 : krb5_free_salt(context, salt2);
141 0 : return 0;
142 : }
143 :
144 : static krb5_error_code
145 0 : init_as_req (krb5_context context,
146 : KDCOptions opts,
147 : krb5_creds *creds,
148 : const krb5_addresses *addrs,
149 : const krb5_enctype *etypes,
150 : const krb5_preauthtype *ptypes,
151 : const krb5_preauthdata *preauth,
152 : krb5_key_proc key_proc,
153 : krb5_const_pointer keyseed,
154 : unsigned nonce,
155 : AS_REQ *a)
156 : {
157 0 : krb5_error_code ret;
158 0 : krb5_salt salt;
159 :
160 0 : memset(a, 0, sizeof(*a));
161 :
162 0 : a->pvno = 5;
163 0 : a->msg_type = krb_as_req;
164 0 : a->req_body.kdc_options = opts;
165 0 : a->req_body.cname = malloc(sizeof(*a->req_body.cname));
166 0 : if (a->req_body.cname == NULL) {
167 0 : ret = krb5_enomem(context);
168 0 : goto fail;
169 : }
170 0 : a->req_body.sname = malloc(sizeof(*a->req_body.sname));
171 0 : if (a->req_body.sname == NULL) {
172 0 : ret = krb5_enomem(context);
173 0 : goto fail;
174 : }
175 0 : ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
176 0 : if (ret)
177 0 : goto fail;
178 0 : ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
179 0 : if (ret)
180 0 : goto fail;
181 0 : ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
182 0 : if (ret)
183 0 : goto fail;
184 :
185 0 : if(creds->times.starttime) {
186 0 : a->req_body.from = malloc(sizeof(*a->req_body.from));
187 0 : if (a->req_body.from == NULL) {
188 0 : ret = krb5_enomem(context);
189 0 : goto fail;
190 : }
191 0 : *a->req_body.from = creds->times.starttime;
192 : }
193 0 : if(creds->times.endtime){
194 0 : ALLOC(a->req_body.till, 1);
195 0 : *a->req_body.till = creds->times.endtime;
196 : }
197 0 : if(creds->times.renew_till){
198 0 : a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
199 0 : if (a->req_body.rtime == NULL) {
200 0 : ret = krb5_enomem(context);
201 0 : goto fail;
202 : }
203 0 : *a->req_body.rtime = creds->times.renew_till;
204 : }
205 0 : a->req_body.nonce = nonce;
206 0 : ret = _krb5_init_etype(context,
207 : KRB5_PDU_AS_REQUEST,
208 : &a->req_body.etype.len,
209 0 : &a->req_body.etype.val,
210 : etypes);
211 0 : if (ret)
212 0 : goto fail;
213 :
214 : /*
215 : * This means no addresses
216 : */
217 :
218 0 : if (addrs && addrs->len == 0) {
219 0 : a->req_body.addresses = NULL;
220 : } else {
221 0 : a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
222 0 : if (a->req_body.addresses == NULL) {
223 0 : ret = krb5_enomem(context);
224 0 : goto fail;
225 : }
226 :
227 0 : if (addrs)
228 0 : ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
229 : else {
230 0 : ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
231 0 : if(ret == 0 && a->req_body.addresses->len == 0) {
232 0 : free(a->req_body.addresses);
233 0 : a->req_body.addresses = NULL;
234 : }
235 : }
236 0 : if (ret)
237 0 : return ret;
238 : }
239 :
240 0 : a->req_body.enc_authorization_data = NULL;
241 0 : a->req_body.additional_tickets = NULL;
242 :
243 0 : if(preauth != NULL) {
244 0 : size_t i;
245 0 : ALLOC(a->padata, 1);
246 0 : if(a->padata == NULL) {
247 0 : ret = krb5_enomem(context);
248 0 : goto fail;
249 : }
250 0 : a->padata->val = NULL;
251 0 : a->padata->len = 0;
252 0 : for(i = 0; i < preauth->len; i++) {
253 0 : if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
254 : size_t j;
255 :
256 0 : for(j = 0; j < preauth->val[i].info.len; j++) {
257 0 : krb5_salt *sp = &salt;
258 0 : if(preauth->val[i].info.val[j].salttype)
259 0 : salt.salttype = *preauth->val[i].info.val[j].salttype;
260 : else
261 0 : salt.salttype = KRB5_PW_SALT;
262 0 : if(preauth->val[i].info.val[j].salt)
263 0 : salt.saltvalue = *preauth->val[i].info.val[j].salt;
264 : else
265 0 : if(salt.salttype == KRB5_PW_SALT)
266 0 : sp = NULL;
267 : else
268 0 : krb5_data_zero(&salt.saltvalue);
269 0 : ret = add_padata(context, a->padata, creds->client,
270 : key_proc, keyseed,
271 0 : &preauth->val[i].info.val[j].etype, 1,
272 : sp);
273 0 : if (ret == 0)
274 0 : break;
275 : }
276 : }
277 : }
278 : } else
279 : /* not sure this is the way to use `ptypes' */
280 0 : if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
281 0 : a->padata = NULL;
282 0 : else if (*ptypes == KRB5_PADATA_ENC_TIMESTAMP) {
283 0 : ALLOC(a->padata, 1);
284 0 : if (a->padata == NULL) {
285 0 : ret = krb5_enomem(context);
286 0 : goto fail;
287 : }
288 0 : a->padata->len = 0;
289 0 : a->padata->val = NULL;
290 :
291 : /* make a v5 salted pa-data */
292 0 : add_padata(context, a->padata, creds->client,
293 0 : key_proc, keyseed, a->req_body.etype.val,
294 : a->req_body.etype.len, NULL);
295 :
296 : /* make a v4 salted pa-data */
297 0 : salt.salttype = KRB5_PW_SALT;
298 0 : krb5_data_zero(&salt.saltvalue);
299 0 : add_padata(context, a->padata, creds->client,
300 0 : key_proc, keyseed, a->req_body.etype.val,
301 : a->req_body.etype.len, &salt);
302 : } else {
303 0 : ret = KRB5_PREAUTH_BAD_TYPE;
304 0 : krb5_set_error_message (context, ret,
305 0 : N_("pre-auth type %d not supported", ""),
306 : *ptypes);
307 0 : goto fail;
308 : }
309 0 : return 0;
310 0 : fail:
311 0 : free_AS_REQ(a);
312 0 : return ret;
313 : }
314 :
315 : static int
316 0 : set_ptypes(krb5_context context,
317 : KRB_ERROR *error,
318 : const krb5_preauthtype **ptypes,
319 : krb5_preauthdata **preauth)
320 : {
321 0 : static krb5_preauthdata preauth2;
322 0 : static const krb5_preauthtype ptypes2[] = {
323 : KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE
324 : };
325 :
326 0 : if(error->e_data) {
327 0 : METHOD_DATA md;
328 0 : size_t i;
329 0 : decode_METHOD_DATA(error->e_data->data,
330 0 : error->e_data->length,
331 : &md,
332 : NULL);
333 0 : for(i = 0; i < md.len; i++){
334 0 : switch(md.val[i].padata_type){
335 0 : case KRB5_PADATA_ENC_TIMESTAMP:
336 0 : *ptypes = ptypes2;
337 0 : break;
338 0 : case KRB5_PADATA_ETYPE_INFO:
339 0 : *preauth = &preauth2;
340 0 : ALLOC_SEQ(*preauth, 1);
341 0 : (*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP;
342 0 : decode_ETYPE_INFO(md.val[i].padata_value.data,
343 0 : md.val[i].padata_value.length,
344 0 : &(*preauth)->val[0].info,
345 : NULL);
346 0 : break;
347 0 : default:
348 0 : break;
349 : }
350 : }
351 0 : free_METHOD_DATA(&md);
352 : } else {
353 0 : *ptypes = ptypes2;
354 : }
355 0 : return(1);
356 : }
357 :
358 : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
359 0 : krb5_get_in_cred(krb5_context context,
360 : krb5_flags options,
361 : const krb5_addresses *addrs,
362 : const krb5_enctype *etypes,
363 : const krb5_preauthtype *ptypes,
364 : const krb5_preauthdata *preauth,
365 : krb5_key_proc key_proc,
366 : krb5_const_pointer keyseed,
367 : krb5_decrypt_proc decrypt_proc,
368 : krb5_const_pointer decryptarg,
369 : krb5_creds *creds,
370 : krb5_kdc_rep *ret_as_reply)
371 : KRB5_DEPRECATED_FUNCTION("Use X instead")
372 : {
373 0 : krb5_error_code ret;
374 0 : AS_REQ a;
375 0 : krb5_kdc_rep rep;
376 0 : krb5_data req, resp;
377 0 : size_t len = 0;
378 0 : krb5_salt salt;
379 0 : krb5_keyblock *key;
380 0 : size_t size;
381 0 : KDCOptions opts;
382 0 : PA_DATA *pa;
383 0 : krb5_enctype etype;
384 0 : krb5_preauthdata *my_preauth = NULL;
385 0 : unsigned nonce;
386 0 : int done;
387 :
388 0 : opts = int2KDCOptions(options);
389 :
390 0 : krb5_generate_random_block (&nonce, sizeof(nonce));
391 0 : nonce &= 0xffffffff;
392 :
393 0 : do {
394 0 : done = 1;
395 0 : ret = init_as_req (context,
396 : opts,
397 : creds,
398 : addrs,
399 : etypes,
400 : ptypes,
401 : preauth,
402 : key_proc,
403 : keyseed,
404 : nonce,
405 : &a);
406 0 : if (my_preauth) {
407 0 : free_ETYPE_INFO(&my_preauth->val[0].info);
408 0 : free (my_preauth->val);
409 0 : my_preauth = NULL;
410 : }
411 0 : if (ret)
412 0 : return ret;
413 :
414 0 : ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length, &a, &len, ret);
415 0 : free_AS_REQ(&a);
416 0 : if (ret)
417 0 : return ret;
418 0 : if(len != req.length)
419 0 : krb5_abortx(context, "internal error in ASN.1 encoder");
420 :
421 0 : ret = krb5_sendto_kdc (context, &req, &creds->client->realm, &resp);
422 0 : krb5_data_free(&req);
423 0 : if (ret)
424 0 : return ret;
425 :
426 0 : memset (&rep, 0, sizeof(rep));
427 0 : ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size);
428 0 : if(ret) {
429 : /* let's try to parse it as a KRB-ERROR */
430 0 : KRB_ERROR error;
431 0 : int ret2;
432 :
433 0 : ret2 = krb5_rd_error(context, &resp, &error);
434 0 : if(ret2 && resp.data && ((char*)resp.data)[0] == 4)
435 0 : ret = KRB5KRB_AP_ERR_V4_REPLY;
436 0 : krb5_data_free(&resp);
437 0 : if (ret2 == 0) {
438 0 : ret = krb5_error_from_rd_error(context, &error, creds);
439 : /* if no preauth was set and KDC requires it, give it
440 : one more try */
441 0 : if (!ptypes && !preauth
442 0 : && ret == KRB5KDC_ERR_PREAUTH_REQUIRED
443 0 : && set_ptypes(context, &error, &ptypes, &my_preauth)) {
444 0 : done = 0;
445 0 : preauth = my_preauth;
446 0 : krb5_free_error_contents(context, &error);
447 0 : krb5_clear_error_message(context);
448 0 : continue;
449 : }
450 0 : if(ret_as_reply)
451 0 : ret_as_reply->error = error;
452 : else
453 0 : free_KRB_ERROR (&error);
454 0 : return ret;
455 : }
456 0 : return ret;
457 : }
458 0 : krb5_data_free(&resp);
459 0 : } while(!done);
460 :
461 0 : pa = NULL;
462 0 : etype = rep.kdc_rep.enc_part.etype;
463 0 : if(rep.kdc_rep.padata){
464 0 : int i = 0;
465 0 : pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len,
466 : KRB5_PADATA_PW_SALT, &i);
467 0 : if(pa == NULL) {
468 0 : i = 0;
469 0 : pa = krb5_find_padata(rep.kdc_rep.padata->val,
470 0 : rep.kdc_rep.padata->len,
471 : KRB5_PADATA_AFS3_SALT, &i);
472 : }
473 : }
474 0 : if(pa) {
475 0 : salt.salttype = (krb5_salttype)pa->padata_type;
476 0 : salt.saltvalue = pa->padata_value;
477 :
478 0 : ret = (*key_proc)(context, etype, salt, keyseed, &key);
479 : } else {
480 : /* make a v5 salted pa-data */
481 0 : ret = krb5_get_pw_salt (context, creds->client, &salt);
482 :
483 0 : if (ret)
484 0 : goto out;
485 0 : ret = (*key_proc)(context, etype, salt, keyseed, &key);
486 0 : krb5_free_salt(context, salt);
487 : }
488 0 : if (ret)
489 0 : goto out;
490 :
491 : {
492 0 : unsigned flags = EXTRACT_TICKET_TIMESYNC;
493 0 : if (opts.request_anonymous)
494 0 : flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH | EXTRACT_TICKET_MATCH_ANON;
495 :
496 0 : ret = _krb5_extract_ticket(context,
497 : &rep,
498 : creds,
499 : key,
500 : keyseed,
501 : KRB5_KU_AS_REP_ENC_PART,
502 : NULL,
503 : nonce,
504 : flags,
505 : NULL,
506 : decrypt_proc,
507 : decryptarg);
508 : }
509 0 : memset (key->keyvalue.data, 0, key->keyvalue.length);
510 0 : krb5_free_keyblock_contents (context, key);
511 0 : free (key);
512 :
513 0 : out:
514 0 : if (ret == 0 && ret_as_reply)
515 0 : *ret_as_reply = rep;
516 : else
517 0 : krb5_free_kdc_rep (context, &rep);
518 0 : return ret;
519 : }
520 :
521 : KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
522 0 : krb5_get_in_tkt(krb5_context context,
523 : krb5_flags options,
524 : const krb5_addresses *addrs,
525 : const krb5_enctype *etypes,
526 : const krb5_preauthtype *ptypes,
527 : krb5_key_proc key_proc,
528 : krb5_const_pointer keyseed,
529 : krb5_decrypt_proc decrypt_proc,
530 : krb5_const_pointer decryptarg,
531 : krb5_creds *creds,
532 : krb5_ccache ccache,
533 : krb5_kdc_rep *ret_as_reply)
534 : KRB5_DEPRECATED_FUNCTION("Use X instead")
535 : {
536 0 : krb5_error_code ret;
537 :
538 0 : ret = krb5_get_in_cred (context,
539 : options,
540 : addrs,
541 : etypes,
542 : ptypes,
543 : NULL,
544 : key_proc,
545 : keyseed,
546 : decrypt_proc,
547 : decryptarg,
548 : creds,
549 : ret_as_reply);
550 0 : if(ret)
551 0 : return ret;
552 0 : if (ccache)
553 0 : ret = krb5_cc_store_cred (context, ccache, creds);
554 0 : return ret;
555 : }
556 :
557 : #endif /* HEIMDAL_SMALLER */
|
