Context Navigation

source: vendor/current/source4/heimdal/lib/krb5/get_in_tkt.c@ 740

Visit:

Last change on this file since 740 was 740, checked in by Silvan Scherrer, 12 years ago
Samba Server: update vendor to 3.6.0
File size: 14.9 KB

Line
1	/*
2	* Copyright (c) 1997 - 2008 Kungliga Tekniska HÃ¶gskolan
3	* (Royal Institute of Technology, Stockholm, Sweden).
4	* All rights reserved.
5	*
6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions
8	* are met:
9	*
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	*
13	* 2. Redistributions in binary form must reproduce the above copyright
14	* notice, this list of conditions and the following disclaimer in the
15	* documentation and/or other materials provided with the distribution.
16	*
17	* 3. Neither the name of the Institute nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#define KRB5_DEPRECATED
35
36	#include "krb5_locl.h"
37
38	#ifndef HEIMDAL_SMALLER
39
40	static krb5_error_code
41	make_pa_enc_timestamp(krb5_context context, PA_DATA *pa,
42	krb5_enctype etype, krb5_keyblock *key)
43	{
44	PA_ENC_TS_ENC p;
45	unsigned char *buf;
46	size_t buf_size;
47	size_t len;
48	EncryptedData encdata;
49	krb5_error_code ret;
50	int32_t usec;
51	int usec2;
52	krb5_crypto crypto;
53
54	krb5_us_timeofday (context, &p.patimestamp, &usec);
55	usec2 = usec;
56	p.pausec = &usec2;
57
58	ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
59	if (ret)
60	return ret;
61	if(buf_size != len)
62	krb5_abortx(context, "internal error in ASN.1 encoder");
63	ret = krb5_crypto_init(context, key, 0, &crypto);
64	if (ret) {
65	free(buf);
66	return ret;
67	}
68	ret = krb5_encrypt_EncryptedData(context,
69	crypto,
70	KRB5_KU_PA_ENC_TIMESTAMP,
71	buf,
72	len,
73	0,
74	&encdata);
75	free(buf);
76	krb5_crypto_destroy(context, crypto);
77	if (ret)
78	return ret;
79
80	ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
81	free_EncryptedData(&encdata);
82	if (ret)
83	return ret;
84	if(buf_size != len)
85	krb5_abortx(context, "internal error in ASN.1 encoder");
86	pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
87	pa->padata_value.length = len;
88	pa->padata_value.data = buf;
89	return 0;
90	}
91
92	static krb5_error_code
93	add_padata(krb5_context context,
94	METHOD_DATA *md,
95	krb5_principal client,
96	krb5_key_proc key_proc,
97	krb5_const_pointer keyseed,
98	krb5_enctype *enctypes,
99	unsigned netypes,
100	krb5_salt *salt)
101	{
102	krb5_error_code ret;
103	PA_DATA *pa2;
104	krb5_salt salt2;
105	krb5_enctype *ep;
106	int i;
107
108	if(salt == NULL) {
109	/* default to standard salt */
110	ret = krb5_get_pw_salt (context, client, &salt2);
111	if (ret)
112	return ret;
113	salt = &salt2;
114	}
115	if (!enctypes) {
116	enctypes = context->etypes;
117	netypes = 0;
118	for (ep = enctypes; *ep != ETYPE_NULL; ep++)
119	netypes++;
120	}
121	pa2 = realloc (md->val, (md->len + netypes) * sizeof(*md->val));
122	if (pa2 == NULL) {
123	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
124	return ENOMEM;
125	}
126	md->val = pa2;
127
128	for (i = 0; i < netypes; ++i) {
129	krb5_keyblock *key;
130
131	ret = (key_proc)(context, enctypes[i], salt, keyseed, &key);
132	if (ret)
133	continue;
134	ret = make_pa_enc_timestamp (context, &md->val[md->len],
135	enctypes[i], key);
136	krb5_free_keyblock (context, key);
137	if (ret)
138	return ret;
139	++md->len;
140	}
141	if(salt == &salt2)
142	krb5_free_salt(context, salt2);
143	return 0;
144	}
145
146	static krb5_error_code
147	init_as_req (krb5_context context,
148	KDCOptions opts,
149	krb5_creds *creds,
150	const krb5_addresses *addrs,
151	const krb5_enctype *etypes,
152	const krb5_preauthtype *ptypes,
153	const krb5_preauthdata *preauth,
154	krb5_key_proc key_proc,
155	krb5_const_pointer keyseed,
156	unsigned nonce,
157	AS_REQ *a)
158	{
159	krb5_error_code ret;
160	krb5_salt salt;
161
162	memset(a, 0, sizeof(*a));
163
164	a->pvno = 5;
165	a->msg_type = krb_as_req;
166	a->req_body.kdc_options = opts;
167	a->req_body.cname = malloc(sizeof(*a->req_body.cname));
168	if (a->req_body.cname == NULL) {
169	ret = ENOMEM;
170	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
171	goto fail;
172	}
173	a->req_body.sname = malloc(sizeof(*a->req_body.sname));
174	if (a->req_body.sname == NULL) {
175	ret = ENOMEM;
176	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
177	goto fail;
178	}
179	ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
180	if (ret)
181	goto fail;
182	ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
183	if (ret)
184	goto fail;
185	ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
186	if (ret)
187	goto fail;
188
189	if(creds->times.starttime) {
190	a->req_body.from = malloc(sizeof(*a->req_body.from));
191	if (a->req_body.from == NULL) {
192	ret = ENOMEM;
193	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
194	goto fail;
195	}
196	*a->req_body.from = creds->times.starttime;
197	}
198	if(creds->times.endtime){
199	ALLOC(a->req_body.till, 1);
200	*a->req_body.till = creds->times.endtime;
201	}
202	if(creds->times.renew_till){
203	a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
204	if (a->req_body.rtime == NULL) {
205	ret = ENOMEM;
206	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
207	goto fail;
208	}
209	*a->req_body.rtime = creds->times.renew_till;
210	}
211	a->req_body.nonce = nonce;
212	ret = krb5_init_etype (context,
213	&a->req_body.etype.len,
214	&a->req_body.etype.val,
215	etypes);
216	if (ret)
217	goto fail;
218
219	/*
220	* This means no addresses
221	*/
222
223	if (addrs && addrs->len == 0) {
224	a->req_body.addresses = NULL;
225	} else {
226	a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
227	if (a->req_body.addresses == NULL) {
228	ret = ENOMEM;
229	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
230	goto fail;
231	}
232
233	if (addrs)
234	ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
235	else {
236	ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
237	if(ret == 0 && a->req_body.addresses->len == 0) {
238	free(a->req_body.addresses);
239	a->req_body.addresses = NULL;
240	}
241	}
242	if (ret)
243	return ret;
244	}
245
246	a->req_body.enc_authorization_data = NULL;
247	a->req_body.additional_tickets = NULL;
248
249	if(preauth != NULL) {
250	int i;
251	ALLOC(a->padata, 1);
252	if(a->padata == NULL) {
253	ret = ENOMEM;
254	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
255	goto fail;
256	}
257	a->padata->val = NULL;
258	a->padata->len = 0;
259	for(i = 0; i < preauth->len; i++) {
260	if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
261	int j;
262
263	for(j = 0; j < preauth->val[i].info.len; j++) {
264	krb5_salt *sp = &salt;
265	if(preauth->val[i].info.val[j].salttype)
266	salt.salttype = *preauth->val[i].info.val[j].salttype;
267	else
268	salt.salttype = KRB5_PW_SALT;
269	if(preauth->val[i].info.val[j].salt)
270	salt.saltvalue = *preauth->val[i].info.val[j].salt;
271	else
272	if(salt.salttype == KRB5_PW_SALT)
273	sp = NULL;
274	else
275	krb5_data_zero(&salt.saltvalue);
276	ret = add_padata(context, a->padata, creds->client,
277	key_proc, keyseed,
278	&preauth->val[i].info.val[j].etype, 1,
279	sp);
280	if (ret == 0)
281	break;
282	}
283	}
284	}
285	} else
286	/* not sure this is the way to use `ptypes' */
287	if (ptypes == NULL \|\| *ptypes == KRB5_PADATA_NONE)
288	a->padata = NULL;
289	else if (*ptypes == KRB5_PADATA_ENC_TIMESTAMP) {
290	ALLOC(a->padata, 1);
291	if (a->padata == NULL) {
292	ret = ENOMEM;
293	krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
294	goto fail;
295	}
296	a->padata->len = 0;
297	a->padata->val = NULL;
298
299	/* make a v5 salted pa-data */
300	add_padata(context, a->padata, creds->client,
301	key_proc, keyseed, a->req_body.etype.val,
302	a->req_body.etype.len, NULL);
303
304	/* make a v4 salted pa-data */
305	salt.salttype = KRB5_PW_SALT;
306	krb5_data_zero(&salt.saltvalue);
307	add_padata(context, a->padata, creds->client,
308	key_proc, keyseed, a->req_body.etype.val,
309	a->req_body.etype.len, &salt);
310	} else {
311	ret = KRB5_PREAUTH_BAD_TYPE;
312	krb5_set_error_message (context, ret,
313	N_("pre-auth type %d not supported", ""),
314	*ptypes);
315	goto fail;
316	}
317	return 0;
318	fail:
319	free_AS_REQ(a);
320	return ret;
321	}
322
323	static int
324	set_ptypes(krb5_context context,
325	KRB_ERROR *error,
326	const krb5_preauthtype **ptypes,
327	krb5_preauthdata **preauth)
328	{
329	static krb5_preauthdata preauth2;
330	static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
331
332	if(error->e_data) {
333	METHOD_DATA md;
334	int i;
335	decode_METHOD_DATA(error->e_data->data,
336	error->e_data->length,
337	&md,
338	NULL);
339	for(i = 0; i < md.len; i++){
340	switch(md.val[i].padata_type){
341	case KRB5_PADATA_ENC_TIMESTAMP:
342	*ptypes = ptypes2;
343	break;
344	case KRB5_PADATA_ETYPE_INFO:
345	*preauth = &preauth2;
346	ALLOC_SEQ(*preauth, 1);
347	(*preauth)->val[0].type = KRB5_PADATA_ENC_TIMESTAMP;
348	decode_ETYPE_INFO(md.val[i].padata_value.data,
349	md.val[i].padata_value.length,
350	&(*preauth)->val[0].info,
351	NULL);
352	break;
353	default:
354	break;
355	}
356	}
357	free_METHOD_DATA(&md);
358	} else {
359	*ptypes = ptypes2;
360	}
361	return(1);
362	}
363
364	KRB5_DEPRECATED
365	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
366	krb5_get_in_cred(krb5_context context,
367	krb5_flags options,
368	const krb5_addresses *addrs,
369	const krb5_enctype *etypes,
370	const krb5_preauthtype *ptypes,
371	const krb5_preauthdata *preauth,
372	krb5_key_proc key_proc,
373	krb5_const_pointer keyseed,
374	krb5_decrypt_proc decrypt_proc,
375	krb5_const_pointer decryptarg,
376	krb5_creds *creds,
377	krb5_kdc_rep *ret_as_reply)
378	{
379	krb5_error_code ret;
380	AS_REQ a;
381	krb5_kdc_rep rep;
382	krb5_data req, resp;
383	size_t len;
384	krb5_salt salt;
385	krb5_keyblock *key;
386	size_t size;
387	KDCOptions opts;
388	PA_DATA *pa;
389	krb5_enctype etype;
390	krb5_preauthdata *my_preauth = NULL;
391	unsigned nonce;
392	int done;
393
394	opts = int2KDCOptions(options);
395
396	krb5_generate_random_block (&nonce, sizeof(nonce));
397	nonce &= 0xffffffff;
398
399	do {
400	done = 1;
401	ret = init_as_req (context,
402	opts,
403	creds,
404	addrs,
405	etypes,
406	ptypes,
407	preauth,
408	key_proc,
409	keyseed,
410	nonce,
411	&a);
412	if (my_preauth) {
413	free_ETYPE_INFO(&my_preauth->val[0].info);
414	free (my_preauth->val);
415	my_preauth = NULL;
416	}
417	if (ret)
418	return ret;
419
420	ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length, &a, &len, ret);
421	free_AS_REQ(&a);
422	if (ret)
423	return ret;
424	if(len != req.length)
425	krb5_abortx(context, "internal error in ASN.1 encoder");
426
427	ret = krb5_sendto_kdc (context, &req, &creds->client->realm, &resp);
428	krb5_data_free(&req);
429	if (ret)
430	return ret;
431
432	memset (&rep, 0, sizeof(rep));
433	ret = decode_AS_REP(resp.data, resp.length, &rep.kdc_rep, &size);
434	if(ret) {
435	/* let's try to parse it as a KRB-ERROR */
436	KRB_ERROR error;
437	int ret2;
438
439	ret2 = krb5_rd_error(context, &resp, &error);
440	if(ret2 && resp.data && ((char*)resp.data)[0] == 4)
441	ret = KRB5KRB_AP_ERR_V4_REPLY;
442	krb5_data_free(&resp);
443	if (ret2 == 0) {
444	ret = krb5_error_from_rd_error(context, &error, creds);
445	/* if no preauth was set and KDC requires it, give it
446	one more try */
447	if (!ptypes && !preauth
448	&& ret == KRB5KDC_ERR_PREAUTH_REQUIRED
449	#if 0
450	\|\| ret == KRB5KDC_ERR_BADOPTION
451	#endif
452	&& set_ptypes(context, &error, &ptypes, &my_preauth)) {
453	done = 0;
454	preauth = my_preauth;
455	krb5_free_error_contents(context, &error);
456	krb5_clear_error_message(context);
457	continue;
458	}
459	if(ret_as_reply)
460	ret_as_reply->error = error;
461	else
462	free_KRB_ERROR (&error);
463	return ret;
464	}
465	return ret;
466	}
467	krb5_data_free(&resp);
468	} while(!done);
469
470	pa = NULL;
471	etype = rep.kdc_rep.enc_part.etype;
472	if(rep.kdc_rep.padata){
473	int i = 0;
474	pa = krb5_find_padata(rep.kdc_rep.padata->val, rep.kdc_rep.padata->len,
475	KRB5_PADATA_PW_SALT, &i);
476	if(pa == NULL) {
477	i = 0;
478	pa = krb5_find_padata(rep.kdc_rep.padata->val,
479	rep.kdc_rep.padata->len,
480	KRB5_PADATA_AFS3_SALT, &i);
481	}
482	}
483	if(pa) {
484	salt.salttype = pa->padata_type;
485	salt.saltvalue = pa->padata_value;
486
487	ret = (*key_proc)(context, etype, salt, keyseed, &key);
488	} else {
489	/* make a v5 salted pa-data */
490	ret = krb5_get_pw_salt (context, creds->client, &salt);
491
492	if (ret)
493	goto out;
494	ret = (*key_proc)(context, etype, salt, keyseed, &key);
495	krb5_free_salt(context, salt);
496	}
497	if (ret)
498	goto out;
499
500	{
501	unsigned flags = EXTRACT_TICKET_TIMESYNC;
502	if (opts.request_anonymous)
503	flags \|= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
504
505	ret = _krb5_extract_ticket(context,
506	&rep,
507	creds,
508	key,
509	keyseed,
510	KRB5_KU_AS_REP_ENC_PART,
511	NULL,
512	nonce,
513	flags,
514	decrypt_proc,
515	decryptarg);
516	}
517	memset (key->keyvalue.data, 0, key->keyvalue.length);
518	krb5_free_keyblock_contents (context, key);
519	free (key);
520
521	out:
522	if (ret == 0 && ret_as_reply)
523	*ret_as_reply = rep;
524	else
525	krb5_free_kdc_rep (context, &rep);
526	return ret;
527	}
528
529	KRB5_DEPRECATED
530	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
531	krb5_get_in_tkt(krb5_context context,
532	krb5_flags options,
533	const krb5_addresses *addrs,
534	const krb5_enctype *etypes,
535	const krb5_preauthtype *ptypes,
536	krb5_key_proc key_proc,
537	krb5_const_pointer keyseed,
538	krb5_decrypt_proc decrypt_proc,
539	krb5_const_pointer decryptarg,
540	krb5_creds *creds,
541	krb5_ccache ccache,
542	krb5_kdc_rep *ret_as_reply)
543	{
544	krb5_error_code ret;
545
546	ret = krb5_get_in_cred (context,
547	options,
548	addrs,
549	etypes,
550	ptypes,
551	NULL,
552	key_proc,
553	keyseed,
554	decrypt_proc,
555	decryptarg,
556	creds,
557	ret_as_reply);
558	if(ret)
559	return ret;
560	if (ccache)
561	ret = krb5_cc_store_cred (context, ccache, creds);
562	return ret;
563	}
564
565	#endif /* HEIMDAL_SMALLER */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: