Beispiel #1
0
krb5_error_code
_krb5_mk_req_internal(krb5_context context,
		      krb5_auth_context *auth_context,
		      const krb5_flags ap_req_options,
		      krb5_data *in_data,
		      krb5_creds *in_creds,
		      krb5_data *outbuf,
		      krb5_key_usage checksum_usage,
		      krb5_key_usage encrypt_usage)
{
    krb5_error_code ret;
    krb5_data authenticator;
    Checksum c;
    Checksum *c_opt;
    krb5_auth_context ac;

    if(auth_context) {
	if(*auth_context == NULL)
	    ret = krb5_auth_con_init(context, auth_context);
	else
	    ret = 0;
	ac = *auth_context;
    } else
	ret = krb5_auth_con_init(context, &ac);
    if(ret)
	return ret;

    if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
	ret = krb5_auth_con_generatelocalsubkey(context,
						ac,
						&in_creds->session);
	if(ret)
	    goto out;
    }

    krb5_free_keyblock(context, ac->keyblock);
    ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
    if (ret)
	goto out;

    /* it's unclear what type of checksum we can use.  try the best one, except:
     * a) if it's configured differently for the current realm, or
     * b) if the session key is des-cbc-crc
     */

    if (in_data) {
	if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
	    /* this is to make DCE secd (and older MIT kdcs?) happy */
	    ret = krb5_create_checksum(context,
				       NULL,
				       0,
				       CKSUMTYPE_RSA_MD4,
				       in_data->data,
				       in_data->length,
				       &c);
	} else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
		  ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56 ||
		  ac->keyblock->keytype == ETYPE_DES_CBC_MD4 ||
		  ac->keyblock->keytype == ETYPE_DES_CBC_MD5) {
	    /* this is to make MS kdc happy */
	    ret = krb5_create_checksum(context,
				       NULL,
				       0,
				       CKSUMTYPE_RSA_MD5,
				       in_data->data,
				       in_data->length,
				       &c);
	} else {
	    krb5_crypto crypto;

	    ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
	    if (ret)
		goto out;
	    ret = krb5_create_checksum(context,
				       crypto,
				       checksum_usage,
				       0,
				       in_data->data,
				       in_data->length,
				       &c);
	    krb5_crypto_destroy(context, crypto);
	}
	c_opt = &c;
    } else {
	c_opt = NULL;
    }

    if (ret)
	goto out;

    ret = _krb5_build_authenticator(context,
				    ac,
				    ac->keyblock->keytype,
				    in_creds,
				    c_opt,
				    &authenticator,
				    encrypt_usage);
    if (c_opt)
	free_Checksum (c_opt);
    if (ret)
	goto out;

    ret = krb5_build_ap_req (context, ac->keyblock->keytype,
			     in_creds, ap_req_options, authenticator, outbuf);
out:
    if(auth_context == NULL)
	krb5_auth_con_free(context, ac);
    return ret;
}
static OM_uint32
init_auth
(OM_uint32 * minor_status,
 gsskrb5_cred initiator_cred_handle,
 gsskrb5_ctx ctx,
 krb5_const_principal name,
 const gss_OID mech_type,
 OM_uint32 req_flags,
 OM_uint32 time_req,
 const gss_channel_bindings_t input_chan_bindings,
 const gss_buffer_t input_token,
 gss_OID * actual_mech_type,
 gss_buffer_t output_token,
 OM_uint32 * ret_flags,
 OM_uint32 * time_rec
    )
{
    OM_uint32 ret = GSS_S_FAILURE;
    krb5_error_code kret;
    krb5_flags ap_options;
    krb5_creds *cred = NULL;
    krb5_data outbuf;
    krb5_ccache ccache = NULL;
    uint32_t flags;
    krb5_data authenticator;
    Checksum cksum;
    krb5_enctype enctype;
    krb5_data fwd_data;
    OM_uint32 lifetime_rec;

    krb5_data_zero(&outbuf);
    krb5_data_zero(&fwd_data);

    *minor_status = 0;

    if (actual_mech_type)
	*actual_mech_type = GSS_KRB5_MECHANISM;

    if (initiator_cred_handle == NULL) {
	kret = krb5_cc_default (_gsskrb5_context, &ccache);
	if (kret) {
	    _gsskrb5_set_error_string ();
	    *minor_status = kret;
	    ret = GSS_S_FAILURE;
	    goto failure;
	}
    } else
	ccache = initiator_cred_handle->ccache;

    kret = krb5_cc_get_principal (_gsskrb5_context, ccache, &ctx->source);
    if (kret) {
	_gsskrb5_set_error_string ();
	*minor_status = kret;
	ret = GSS_S_FAILURE;
	goto failure;
    }

    kret = krb5_copy_principal (_gsskrb5_context, name, &ctx->target);
    if (kret) {
	_gsskrb5_set_error_string ();
	*minor_status = kret;
	ret = GSS_S_FAILURE;
	goto failure;
    }

    ret = _gss_DES3_get_mic_compat(minor_status, ctx);
    if (ret)
	goto failure;


    ret = gsskrb5_get_creds(minor_status,
			    ccache,
			    ctx,
			    ctx->target,
			    time_req,
			    time_rec,
			    &cred);
    if (ret)
	goto failure;

    ctx->lifetime = cred->times.endtime;

    ret = _gsskrb5_lifetime_left(minor_status,
			       ctx->lifetime,
			       &lifetime_rec);
    if (ret) {
	goto failure;
    }

    if (lifetime_rec == 0) {
	*minor_status = 0;
	ret = GSS_S_CONTEXT_EXPIRED;
	goto failure;
    }

    krb5_auth_con_setkey(_gsskrb5_context, 
			 ctx->auth_context, 
			 &cred->session);

    kret = krb5_auth_con_generatelocalsubkey(_gsskrb5_context, 
					     ctx->auth_context,
					     &cred->session);
    if(kret) {
	_gsskrb5_set_error_string ();
	*minor_status = kret;
	ret = GSS_S_FAILURE;
	goto failure;
    }
    
    /* 
     * If the credential doesn't have ok-as-delegate, check what local
     * policy say about ok-as-delegate, default is FALSE that makes
     * code ignore the KDC setting and follow what the application
     * requested. If its TRUE, strip of the GSS_C_DELEG_FLAG if the
     * KDC doesn't set ok-as-delegate.
     */
    if (!cred->flags.b.ok_as_delegate) {
	krb5_boolean delegate;
    
	krb5_appdefault_boolean(_gsskrb5_context,
				"gssapi", name->realm,
				"ok-as-delegate", FALSE, &delegate);
	if (delegate)
	    req_flags &= ~GSS_C_DELEG_FLAG;
    }

    flags = 0;
    ap_options = 0;
    if (req_flags & GSS_C_DELEG_FLAG)
	do_delegation (ctx->auth_context,
		       ccache, cred, name, &fwd_data, &flags);
    
    if (req_flags & GSS_C_MUTUAL_FLAG) {
	flags |= GSS_C_MUTUAL_FLAG;
	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
    }
    
    if (req_flags & GSS_C_REPLAY_FLAG)
	flags |= GSS_C_REPLAY_FLAG;
    if (req_flags & GSS_C_SEQUENCE_FLAG)
	flags |= GSS_C_SEQUENCE_FLAG;
    if (req_flags & GSS_C_ANON_FLAG)
	;                               /* XXX */
    if (req_flags & GSS_C_DCE_STYLE) {
	/* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */
	flags |= GSS_C_DCE_STYLE | GSS_C_MUTUAL_FLAG;
	ap_options |= AP_OPTS_MUTUAL_REQUIRED;
    }
    if (req_flags & GSS_C_IDENTIFY_FLAG)
	flags |= GSS_C_IDENTIFY_FLAG;
    if (req_flags & GSS_C_EXTENDED_ERROR_FLAG)
	flags |= GSS_C_EXTENDED_ERROR_FLAG;

    flags |= GSS_C_CONF_FLAG;
    flags |= GSS_C_INTEG_FLAG;
    flags |= GSS_C_TRANS_FLAG;
    
    if (ret_flags)
	*ret_flags = flags;
    ctx->flags = flags;
    ctx->more_flags |= LOCAL;
    
    ret = _gsskrb5_create_8003_checksum (minor_status,
					 input_chan_bindings,
					 flags,
					 &fwd_data,
					 &cksum);
    krb5_data_free (&fwd_data);
    if (ret)
	goto failure;

    enctype = ctx->auth_context->keyblock->keytype;

    kret = krb5_build_authenticator (_gsskrb5_context,
				     ctx->auth_context,
				     enctype,
				     cred,
				     &cksum,
				     NULL,
				     &authenticator,
				     KRB5_KU_AP_REQ_AUTH);

    if (kret) {
	_gsskrb5_set_error_string ();
	*minor_status = kret;
	ret = GSS_S_FAILURE;
	goto failure;
    }

    kret = krb5_build_ap_req (_gsskrb5_context,
			      enctype,
			      cred,
			      ap_options,
			      authenticator,
			      &outbuf);

    if (kret) {
	_gsskrb5_set_error_string ();
	*minor_status = kret;
	ret = GSS_S_FAILURE;
	goto failure;
    }

    ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
				   (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
    if (ret)
	goto failure;

    krb5_data_free (&outbuf);
    krb5_free_creds(_gsskrb5_context, cred);
    free_Checksum(&cksum);
    if (initiator_cred_handle == NULL)
	krb5_cc_close(_gsskrb5_context, ccache);

    if (flags & GSS_C_MUTUAL_FLAG) {
	ctx->state = INITIATOR_WAIT_FOR_MUTAL;
	return GSS_S_CONTINUE_NEEDED;
    }

    return gsskrb5_initiator_ready(minor_status, ctx);
failure:
    if(cred)
	krb5_free_creds(_gsskrb5_context, cred);
    if (ccache && initiator_cred_handle == NULL)
	krb5_cc_close(_gsskrb5_context, ccache);

    return ret;

}
Beispiel #3
0
krb5_error_code
_krb5_mk_req_internal(krb5_context context,
		      krb5_auth_context *auth_context,
		      const krb5_flags ap_req_options,
		      krb5_data *in_data,
		      krb5_creds *in_creds,
		      krb5_data *outbuf,
		      krb5_key_usage checksum_usage,
		      krb5_key_usage encrypt_usage)
{
  krb5_error_code ret;
  krb5_data authenticator;
  Checksum c;
  Checksum *c_opt;
  krb5_auth_context ac;

  if(auth_context) {
      if(*auth_context == NULL)
	  ret = krb5_auth_con_init(context, auth_context);
      else
	  ret = 0;
      ac = *auth_context;
  } else
      ret = krb5_auth_con_init(context, &ac);
  if(ret)
      return ret;
      
  if(ac->local_subkey == NULL && (ap_req_options & AP_OPTS_USE_SUBKEY)) {
      ret = krb5_auth_con_generatelocalsubkey(context, ac, &in_creds->session);
      if(ret)
	  goto out;
  }

#if 0
  {
      /* This is somewhat bogus since we're possibly overwriting a
         value specified by the user, but it's the easiest way to make
         the code use a compatible enctype */
      Ticket ticket;
      krb5_keytype ticket_keytype;

      ret = decode_Ticket(in_creds->ticket.data, 
			  in_creds->ticket.length, 
			  &ticket, 
			  NULL);
      krb5_enctype_to_keytype (context,
			       ticket.enc_part.etype,
			       &ticket_keytype);

      if (ticket_keytype == in_creds->session.keytype)
	  krb5_auth_setenctype(context, 
			       ac,
			       ticket.enc_part.etype);
      free_Ticket(&ticket);
  }
#endif

  krb5_free_keyblock(context, ac->keyblock);
  ret = krb5_copy_keyblock(context, &in_creds->session, &ac->keyblock);
  if (ret)
      goto out;
  
  /* it's unclear what type of checksum we can use.  try the best one, except:
   * a) if it's configured differently for the current realm, or
   * b) if the session key is des-cbc-crc
   */

  if (in_data) {
      if(ac->keyblock->keytype == ETYPE_DES_CBC_CRC) {
	  /* this is to make DCE secd (and older MIT kdcs?) happy */
	  ret = krb5_create_checksum(context, 
				     NULL,
				     0,
				     CKSUMTYPE_RSA_MD4,
				     in_data->data,
				     in_data->length,
				     &c);
      } else if(ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5 ||
		ac->keyblock->keytype == ETYPE_ARCFOUR_HMAC_MD5_56) {
	  /* this is to make MS kdc happy */ 
	  ret = krb5_create_checksum(context, 
				     NULL,
				     0,
				     CKSUMTYPE_RSA_MD5,
				     in_data->data,
				     in_data->length,
				     &c);
      } else {
	  krb5_crypto crypto;

	  ret = krb5_crypto_init(context, ac->keyblock, 0, &crypto);
	  if (ret)
	      goto out;
	  ret = krb5_create_checksum(context, 
				     crypto,
				     checksum_usage,
				     0,
				     in_data->data,
				     in_data->length,
				     &c);
      	  krb5_crypto_destroy(context, crypto);
      }
      c_opt = &c;
  } else {
      c_opt = NULL;
  }

  if (ret)
      goto out;
  
  ret = krb5_build_authenticator (context,
				  ac,
				  ac->keyblock->keytype,
				  in_creds,
				  c_opt,
				  NULL,
				  &authenticator,
				  encrypt_usage);
  if (c_opt)
      free_Checksum (c_opt);
  if (ret)
    goto out;

  ret = krb5_build_ap_req (context, ac->keyblock->keytype, 
			   in_creds, ap_req_options, authenticator, outbuf);
out:
  if(auth_context == NULL)
      krb5_auth_con_free(context, ac);
  return ret;
}