static krb5_error_code
copy_enctypes(krb5_context context,
const krb5_enctype *in,
krb5_enctype **out)
{
krb5_enctype *p = NULL;
size_t m, n;
for (n = 0; in[n]; n++)
;
n++;
ALLOC(p, n);
if(p == NULL)
return krb5_enomem(context);
for (n = 0, m = 0; in[n]; n++) {
if (krb5_enctype_valid(context, in[n]) != 0)
continue;
p[m++] = in[n];
}
p[m] = KRB5_ENCTYPE_NULL;
if (m == 0) {
free(p);
krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
N_("no valid enctype set", ""));
return KRB5_PROG_ETYPE_NOSUPP;
}
*out = p;
return 0;
}
static krb5_error_code
default_etypes(krb5_context context, krb5_enctype **etype)
{
const krb5_enctype *p;
krb5_enctype *e = NULL, *ep;
int i, n = 0;
p = krb5_kerberos_enctypes(context);
for (i = 0; p[i] != ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
ep = realloc(e, (n + 2) * sizeof(*e));
if (ep == NULL) {
free(e);
krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
e = ep;
e[n] = p[i];
e[n + 1] = ETYPE_NULL;
n++;
}
*etype = e;
return 0;
}
KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_string_to_keytype(krb5_context context,
const char *string,
krb5_keytype *keytype)
{
char *end;
int i;
for(i = 0; i < num_keys; i++)
if(strcasecmp(keys[i].name, string) == 0){
*keytype = keys[i].type;
return 0;
}
/* check if the enctype is a number */
*keytype = strtol(string, &end, 0);
if(*end == '\0' && *keytype != 0) {
if (krb5_enctype_valid(context, *keytype) == 0)
return 0;
}
krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
"key type %s not supported", string);
return KRB5_PROG_KEYTYPE_NOSUPP;
}
KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
krb5_kerberos_enctypes(krb5_context context)
{
static const krb5_enctype strong[] = {
ETYPE_AES256_CTS_HMAC_SHA1_96,
ETYPE_AES128_CTS_HMAC_SHA1_96,
ETYPE_DES3_CBC_SHA1,
ETYPE_ARCFOUR_HMAC_MD5,
ETYPE_NULL
};
static const krb5_enctype weak[] = {
ETYPE_AES256_CTS_HMAC_SHA1_96,
ETYPE_AES128_CTS_HMAC_SHA1_96,
ETYPE_DES3_CBC_SHA1,
ETYPE_ARCFOUR_HMAC_MD5,
ETYPE_DES_CBC_MD5,
ETYPE_DES_CBC_MD4,
ETYPE_DES_CBC_CRC,
ETYPE_NULL
};
/*
* if the list of enctypes enabled by "allow_weak_crypto"
* are valid, then return the former default enctype list
* that contained the weak entries.
*/
size_t n;
for (n = 0; weak[n] != ETYPE_NULL; n++)
if (krb5_enctype_valid(context, weak[n]) != 0)
return strong;
return weak;
}
static krb5_error_code
set_etypes (krb5_context context,
const char *name,
krb5_enctype **ret_enctypes)
{
char **etypes_str;
krb5_enctype *etypes = NULL;
etypes_str = krb5_config_get_strings(context, NULL, "libdefaults",
name, NULL);
if(etypes_str){
int i, j, k;
for(i = 0; etypes_str[i]; i++);
etypes = malloc((i+1) * sizeof(*etypes));
if (etypes == NULL) {
krb5_config_free_strings (etypes_str);
return krb5_enomem(context);
}
for(j = 0, k = 0; j < i; j++) {
krb5_enctype e;
if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0)
continue;
if (krb5_enctype_valid(context, e) != 0)
continue;
etypes[k++] = e;
}
etypes[k] = ETYPE_NULL;
krb5_config_free_strings(etypes_str);
}
*ret_enctypes = etypes;
return 0;
}
krb5_error_code
_kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
krb5_enctype *etypes, unsigned len,
Key **ret_key, krb5_enctype *ret_etype)
{
int i;
krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
krb5_salt def_salt;
krb5_get_pw_salt (context, princ->entry.principal, &def_salt);
for(i = 0; ret != 0 && i < len ; i++) {
Key *key = NULL;
if (krb5_enctype_valid(context, etypes[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
continue;
while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
continue;
}
*ret_key = key;
*ret_etype = etypes[i];
ret = 0;
if (is_default_salt_p(&def_salt, key)) {
krb5_free_salt (context, def_salt);
return ret;
}
}
}
krb5_free_salt (context, def_salt);
return ret;
}
krb5_error_code
_kdc_get_preferred_key(krb5_context context,
krb5_kdc_configuration *config,
hdb_entry_ex *h,
const char *name,
krb5_enctype *enctype,
Key **key)
{
krb5_error_code ret;
int i;
if (config->use_strongest_server_key) {
const krb5_enctype *p = krb5_kerberos_enctypes(context);
for (i = 0; p[i] != (krb5_enctype)ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0 &&
!_kdc_is_weak_exception(h->entry.principal, p[i]))
continue;
ret = hdb_enctype2key(context, &h->entry, NULL, p[i], key);
if (ret != 0)
continue;
if (enctype != NULL)
*enctype = p[i];
return 0;
}
} else {
*key = NULL;
for (i = 0; i < h->entry.keys.len; i++) {
if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) != 0 &&
!_kdc_is_weak_exception(h->entry.principal, h->entry.keys.val[i].key.keytype))
continue;
ret = hdb_enctype2key(context, &h->entry, NULL,
h->entry.keys.val[i].key.keytype, key);
if (ret != 0)
continue;
if (enctype != NULL)
*enctype = (*key)->key.keytype;
return 0;
}
}
krb5_set_error_message(context, EINVAL,
"No valid kerberos key found for %s", name);
return EINVAL; /* XXX */
}
static int
get_cred(struct kafs_data *data, const char *name, const char *inst,
const char *realm, uid_t uid, struct kafs_token *kt)
{
krb5_error_code ret;
krb5_creds in_creds, *out_creds;
struct krb5_kafs_data *d = data->data;
int invalid;
memset(&in_creds, 0, sizeof(in_creds));
ret = krb5_make_principal(d->context, &in_creds.server,
realm, name, inst, NULL);
if(ret)
return ret;
ret = krb5_cc_get_principal(d->context, d->id, &in_creds.client);
if(ret){
krb5_free_principal(d->context, in_creds.server);
return ret;
}
in_creds.session.keytype = ETYPE_DES_CBC_CRC;
/* check if des is disable, and in that case enable it for afs */
invalid = krb5_enctype_valid(d->context, in_creds.session.keytype);
if (invalid)
krb5_enctype_enable(d->context, in_creds.session.keytype);
ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
if (ret) {
in_creds.session.keytype = ETYPE_DES_CBC_MD5;
ret = krb5_get_credentials(d->context, 0, d->id, &in_creds, &out_creds);
}
if (invalid)
krb5_enctype_disable(d->context, in_creds.session.keytype);
krb5_free_principal(d->context, in_creds.server);
krb5_free_principal(d->context, in_creds.client);
if(ret)
return ret;
ret = v5_convert(d->context, d->id, out_creds, uid,
(inst != NULL && inst[0] != '\0') ? inst : realm, kt);
krb5_free_creds(d->context, out_creds);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_set_default_in_tkt_etypes(krb5_context context,
const krb5_enctype *etypes)
{
krb5_error_code ret;
krb5_enctype *p = NULL;
unsigned int n, m;
if(etypes) {
for (n = 0; etypes[n]; n++)
;
n++;
ALLOC(p, n);
if(!p) {
krb5_set_error_message (context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
for (n = 0, m = 0; etypes[n]; n++) {
ret = krb5_enctype_valid(context, etypes[n]);
if (ret)
continue;
p[m++] = etypes[n];
}
p[m] = ETYPE_NULL;
if (m == 0) {
free(p);
krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
N_("no valid enctype set", ""));
return KRB5_PROG_ETYPE_NOSUPP;
}
}
if(context->etypes)
free(context->etypes);
context->etypes = p;
return 0;
}
KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
krb5_kerberos_enctypes(krb5_context context)
{
static const krb5_enctype p[] = {
ETYPE_AES256_CTS_HMAC_SHA1_96,
ETYPE_AES128_CTS_HMAC_SHA1_96,
ETYPE_DES3_CBC_SHA1,
ETYPE_ARCFOUR_HMAC_MD5,
ETYPE_NULL
};
static const krb5_enctype weak[] = {
ETYPE_AES256_CTS_HMAC_SHA1_96,
ETYPE_AES128_CTS_HMAC_SHA1_96,
ETYPE_DES3_CBC_SHA1,
ETYPE_DES3_CBC_MD5,
ETYPE_ARCFOUR_HMAC_MD5,
ETYPE_DES_CBC_MD5,
ETYPE_DES_CBC_MD4,
ETYPE_DES_CBC_CRC,
ETYPE_NULL
};
/*
* if the list of enctypes enabled by "allow_weak_crypto"
* are valid, then return the former default enctype list
* that contained the weak entries.
*/
if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC) == 0 &&
krb5_enctype_valid(context, ETYPE_DES_CBC_MD4) == 0 &&
krb5_enctype_valid(context, ETYPE_DES_CBC_MD5) == 0 &&
krb5_enctype_valid(context, ETYPE_DES_CBC_NONE) == 0 &&
krb5_enctype_valid(context, ETYPE_DES_CFB64_NONE) == 0 &&
krb5_enctype_valid(context, ETYPE_DES_PCBC_NONE) == 0)
return weak;
return p;
}
krb5_error_code
_kdc_pk_mk_pa_reply(krb5_context context,
krb5_kdc_configuration *config,
pk_client_params *cp,
const hdb_entry_ex *client,
krb5_enctype sessionetype,
const KDC_REQ *req,
const krb5_data *req_buffer,
krb5_keyblock *reply_key,
krb5_keyblock *sessionkey,
METHOD_DATA *md)
{
krb5_error_code ret;
void *buf = NULL;
size_t len = 0, size = 0;
krb5_enctype enctype;
int pa_type;
hx509_cert kdc_cert = NULL;
size_t i;
if (!config->enable_pkinit) {
krb5_clear_error_message(context);
return 0;
}
if (req->req_body.etype.len > 0) {
for (i = 0; i < req->req_body.etype.len; i++)
if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)
break;
if (req->req_body.etype.len <= i) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"No valid enctype available from client");
goto out;
}
enctype = req->req_body.etype.val[i];
} else
enctype = ETYPE_DES3_CBC_SHA1;
if (cp->type == PKINIT_27) {
PA_PK_AS_REP rep;
const char *type, *other = "";
memset(&rep, 0, sizeof(rep));
pa_type = KRB5_PADATA_PK_AS_REP;
if (cp->keyex == USE_RSA) {
ContentInfo info;
type = "enckey";
rep.element = choice_PA_PK_AS_REP_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype,
&cp->reply_key);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
config,
cp,
req,
req_buffer,
&cp->reply_key,
&info,
&kdc_cert);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
rep.u.encKeyPack.length, &info, &size,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
ret = krb5_generate_random_keyblock(context, sessionetype,
sessionkey);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
} else {
ContentInfo info;
switch (cp->keyex) {
case USE_DH: type = "dh"; break;
case USE_ECDH: type = "ecdh"; break;
default: krb5_abortx(context, "unknown keyex"); break;
}
if (cp->dh_group_name)
other = cp->dh_group_name;
rep.element = choice_PA_PK_AS_REP_dhInfo;
ret = generate_dh_keyblock(context, cp, enctype);
if (ret)
return ret;
ret = pk_mk_pa_reply_dh(context, config,
cp,
&info,
&kdc_cert);
if (ret) {
free_PA_PK_AS_REP(&rep);
krb5_set_error_message(context, ret,
"create pa-reply-dh "
"failed %d", ret);
goto out;
}
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data,
rep.u.dhInfo.dhSignedData.length, &info, &size,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret,
"encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
/* generate the session key using the method from RFC6112 */
{
krb5_keyblock kdc_contribution_key;
krb5_crypto reply_crypto;
krb5_crypto kdccont_crypto;
krb5_data p1 = { strlen("PKINIT"), "PKINIT"};
krb5_data p2 = { strlen("KEYEXCHANGE"), "KEYEXCHANGE"};
void *kckdata;
size_t kcklen;
EncryptedData kx;
void *kxdata;
size_t kxlen;
ret = krb5_generate_random_keyblock(context, sessionetype,
&kdc_contribution_key);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ret = krb5_crypto_init(context, &cp->reply_key, enctype, &reply_crypto);
if (ret) {
krb5_free_keyblock_contents(context, &kdc_contribution_key);
free_PA_PK_AS_REP(&rep);
goto out;
}
ret = krb5_crypto_init(context, &kdc_contribution_key, sessionetype, &kdccont_crypto);
if (ret) {
krb5_crypto_destroy(context, reply_crypto);
krb5_free_keyblock_contents(context, &kdc_contribution_key);
free_PA_PK_AS_REP(&rep);
goto out;
}
/* KRB-FX-CF2 */
ret = krb5_crypto_fx_cf2(context, kdccont_crypto, reply_crypto,
&p1, &p2, sessionetype, sessionkey);
krb5_crypto_destroy(context, kdccont_crypto);
if (ret) {
krb5_crypto_destroy(context, reply_crypto);
krb5_free_keyblock_contents(context, &kdc_contribution_key);
free_PA_PK_AS_REP(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(EncryptionKey, kckdata, kcklen,
&kdc_contribution_key, &size, ret);
krb5_free_keyblock_contents(context, &kdc_contribution_key);
if (ret) {
krb5_set_error_message(context, ret, "encoding of PKINIT-KX Key failed %d", ret);
krb5_crypto_destroy(context, reply_crypto);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (kcklen != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
ret = krb5_encrypt_EncryptedData(context, reply_crypto, KRB5_KU_PA_PKINIT_KX,
kckdata, kcklen, 0, &kx);
krb5_crypto_destroy(context, reply_crypto);
free(kckdata);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(EncryptedData, kxdata, kxlen,
&kx, &size, ret);
free_EncryptedData(&kx);
if (ret) {
krb5_set_error_message(context, ret, "encoding of PKINIT-KX failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (kxlen != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
/* Add PA-PKINIT-KX */
ret = krb5_padata_add(context, md, KRB5_PADATA_PKINIT_KX, kxdata, kxlen);
if (ret) {
krb5_set_error_message(context, ret,
"Failed adding PKINIT-KX %d", ret);
free(buf);
goto out;
}
}
}
#define use_btmm_with_enckey 0
if (use_btmm_with_enckey && rep.element == choice_PA_PK_AS_REP_encKeyPack) {
PA_PK_AS_REP_BTMM btmm;
heim_any any;
any.data = rep.u.encKeyPack.data;
any.length = rep.u.encKeyPack.length;
btmm.dhSignedData = NULL;
btmm.encKeyPack = &any;
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_BTMM, buf, len, &btmm, &size, ret);
} else {
ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
}
free_PA_PK_AS_REP(&rep);
if (ret) {
krb5_set_error_message(context, ret,
"encode PA-PK-AS-REP failed %d", ret);
goto out;
}
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
} else if (cp->type == PKINIT_WIN2K) {
PA_PK_AS_REP_Win2k rep;
ContentInfo info;
if (cp->keyex != USE_RSA) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Windows PK-INIT doesn't support DH");
goto out;
}
memset(&rep, 0, sizeof(rep));
pa_type = KRB5_PADATA_PK_AS_REP_19;
rep.element = choice_PA_PK_AS_REP_Win2k_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype,
&cp->reply_key);
if (ret) {
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
config,
cp,
req,
req_buffer,
&cp->reply_key,
&info,
&kdc_cert);
if (ret) {
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
rep.u.encKeyPack.length, &info, &size,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP_Win2k(&rep);
if (ret) {
krb5_set_error_message(context, ret,
"encode PA-PK-AS-REP-Win2k failed %d", ret);
goto out;
}
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
ret = krb5_generate_random_keyblock(context, sessionetype,
sessionkey);
if (ret) {
free(buf);
goto out;
}
} else
krb5_abortx(context, "PK-INIT internal error");
ret = krb5_padata_add(context, md, pa_type, buf, len);
if (ret) {
krb5_set_error_message(context, ret,
"Failed adding PA-PK-AS-REP %d", ret);
free(buf);
goto out;
}
if (config->pkinit_kdc_ocsp_file) {
if (ocsp.expire == 0 && ocsp.next_update > kdc_time) {
struct stat sb;
int fd;
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
ocsp.next_update = kdc_time + 60 * 5;
fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
if (fd < 0) {
kdc_log(context, config, 0,
"PK-INIT failed to open ocsp data file %d", errno);
goto out_ocsp;
}
ret = fstat(fd, &sb);
if (ret) {
ret = errno;
close(fd);
kdc_log(context, config, 0,
"PK-INIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
ret = krb5_data_alloc(&ocsp.data, sb.st_size);
if (ret) {
close(fd);
kdc_log(context, config, 0,
"PK-INIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
ocsp.data.length = sb.st_size;
ret = read(fd, ocsp.data.data, sb.st_size);
close(fd);
if (ret != sb.st_size) {
kdc_log(context, config, 0,
"PK-INIT failed to read ocsp data %d", errno);
goto out_ocsp;
}
ret = hx509_ocsp_verify(context->hx509ctx,
kdc_time,
kdc_cert,
0,
ocsp.data.data, ocsp.data.length,
&ocsp.expire);
if (ret) {
kdc_log(context, config, 0,
"PK-INIT failed to verify ocsp data %d", ret);
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
} else if (ocsp.expire > 180) {
ocsp.expire -= 180; /* refetch the ocsp before it expire */
ocsp.next_update = ocsp.expire;
} else {
ocsp.next_update = kdc_time;
}
out_ocsp:
ret = 0;
}
if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
ret = krb5_padata_add(context, md,
KRB5_PADATA_PA_PK_OCSP_RESPONSE,
ocsp.data.data, ocsp.data.length);
if (ret) {
krb5_set_error_message(context, ret,
"Failed adding OCSP response %d", ret);
goto out;
}
}
}
out:
if (kdc_cert)
hx509_cert_free(kdc_cert);
if (ret == 0)
ret = krb5_copy_keyblock_contents(context, &cp->reply_key, reply_key);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_creds(krb5_context context,
krb5_get_creds_opt opt,
krb5_ccache ccache,
krb5_const_principal inprinc,
krb5_creds **out_creds)
{
krb5_kdc_flags flags;
krb5_flags options;
krb5_creds in_creds;
krb5_error_code ret;
krb5_creds **tgts;
krb5_creds *try_creds;
krb5_creds *res_creds;
krb5_name_canon_iterator name_canon_iter = NULL;
krb5_name_canon_rule_options rule_opts;
int i;
if (opt && opt->enctype) {
ret = krb5_enctype_valid(context, opt->enctype);
if (ret)
return ret;
}
memset(&in_creds, 0, sizeof(in_creds));
in_creds.server = rk_UNCONST(inprinc);
ret = krb5_cc_get_principal(context, ccache, &in_creds.client);
if (ret)
return ret;
if (opt)
options = opt->options;
else
options = 0;
flags.i = 0;
*out_creds = NULL;
res_creds = calloc(1, sizeof(*res_creds));
if (res_creds == NULL) {
krb5_free_principal(context, in_creds.client);
return krb5_enomem(context);
}
if (opt && opt->enctype) {
in_creds.session.keytype = opt->enctype;
options |= KRB5_TC_MATCH_KEYTYPE;
}
/* Check for entry in ccache */
if (inprinc->name.name_type == KRB5_NT_SRV_HST_NEEDS_CANON) {
ret = check_cc(context, options, ccache, &in_creds, res_creds);
if (ret == 0) {
*out_creds = res_creds;
goto out;
}
}
ret = krb5_name_canon_iterator_start(context, NULL, &in_creds,
&name_canon_iter);
if (ret)
goto out;
next_rule:
ret = krb5_name_canon_iterate_creds(context, &name_canon_iter, &try_creds,
&rule_opts);
if (ret)
return ret;
if (name_canon_iter == NULL) {
if (options & KRB5_GC_CACHED)
ret = KRB5_CC_NOTFOUND;
else
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
ret = check_cc(context, options, ccache, try_creds, res_creds);
if (ret == 0) {
*out_creds = res_creds;
goto out;
} else if(ret != KRB5_CC_END) {
goto out;
}
if(options & KRB5_GC_CACHED)
goto next_rule;
if(rule_opts & KRB5_NCRO_USE_REFERRALS)
flags.b.canonicalize = 1;
else if(rule_opts & KRB5_NCRO_NO_REFERRALS)
flags.b.canonicalize = 0;
else
flags.b.canonicalize = (options & KRB5_GC_CANONICALIZE) ? 1 : 0;
if(options & KRB5_GC_USER_USER) {
flags.b.enc_tkt_in_skey = 1;
options |= KRB5_GC_NO_STORE;
}
if (options & KRB5_GC_FORWARDABLE)
flags.b.forwardable = 1;
if (options & KRB5_GC_NO_TRANSIT_CHECK)
flags.b.disable_transited_check = 1;
if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
flags.b.request_anonymous = 1; /* XXX ARGH confusion */
flags.b.constrained_delegation = 1;
}
tgts = NULL;
ret = _krb5_get_cred_kdc_any(context, flags, ccache,
try_creds, opt ? opt->self : 0,
opt ? opt->ticket : 0, out_creds,
&tgts);
for(i = 0; tgts && tgts[i]; i++) {
krb5_cc_store_cred(context, ccache, tgts[i]);
krb5_free_creds(context, tgts[i]);
}
free(tgts);
if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN &&
!(rule_opts & KRB5_NCRO_SECURE))
goto next_rule;
if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
store_cred(context, ccache, inprinc, *out_creds);
out:
if (ret) {
krb5_free_creds(context, res_creds);
ret = not_found(context, inprinc, ret);
}
krb5_free_principal(context, in_creds.client);
krb5_free_name_canon_iterator(context, name_canon_iter);
_krb5_debug(context, 5, "krb5_get_creds: ret = %d", ret);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_credentials_with_flags(krb5_context context,
krb5_flags options,
krb5_kdc_flags flags,
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_creds **out_creds)
{
krb5_error_code ret;
krb5_name_canon_iterator name_canon_iter = NULL;
krb5_name_canon_rule_options rule_opts;
krb5_creds **tgts;
krb5_creds *try_creds;
krb5_creds *res_creds;
int i;
if (in_creds->session.keytype) {
ret = krb5_enctype_valid(context, in_creds->session.keytype);
if (ret)
return ret;
options |= KRB5_TC_MATCH_KEYTYPE;
}
*out_creds = NULL;
res_creds = calloc(1, sizeof(*res_creds));
if (res_creds == NULL)
return krb5_enomem(context);
if (in_creds->server->name.name_type == KRB5_NT_SRV_HST_NEEDS_CANON) {
ret = check_cc(context, options, ccache, in_creds, res_creds);
if (ret == 0) {
*out_creds = res_creds;
return 0;
}
}
ret = krb5_name_canon_iterator_start(context, NULL, in_creds,
&name_canon_iter);
if (ret)
return ret;
next_rule:
krb5_free_cred_contents(context, res_creds);
memset(res_creds, 0, sizeof (*res_creds));
ret = krb5_name_canon_iterate_creds(context, &name_canon_iter, &try_creds,
&rule_opts);
if (ret)
goto out;
if (name_canon_iter == NULL) {
if (options & KRB5_GC_CACHED)
ret = KRB5_CC_NOTFOUND;
else
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
ret = check_cc(context, options, ccache, try_creds, res_creds);
if (ret == 0) {
*out_creds = res_creds;
goto out;
} else if(ret != KRB5_CC_END) {
goto out;
}
if(options & KRB5_GC_CACHED)
goto next_rule;
if(options & KRB5_GC_USER_USER)
flags.b.enc_tkt_in_skey = 1;
if (flags.b.enc_tkt_in_skey)
options |= KRB5_GC_NO_STORE;
tgts = NULL;
ret = _krb5_get_cred_kdc_any(context, flags, ccache,
try_creds, NULL, NULL, out_creds, &tgts);
for(i = 0; tgts && tgts[i]; i++) {
krb5_cc_store_cred(context, ccache, tgts[i]);
krb5_free_creds(context, tgts[i]);
}
free(tgts);
if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN &&
!(rule_opts & KRB5_NCRO_SECURE))
goto next_rule;
if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
store_cred(context, ccache, in_creds->server, *out_creds);
out:
krb5_free_name_canon_iterator(context, name_canon_iter);
if (ret) {
krb5_free_creds(context, res_creds);
return not_found(context, in_creds->server, ret);
}
return 0;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_verify_ap_req2(krb5_context context,
krb5_auth_context *auth_context,
krb5_ap_req *ap_req,
krb5_const_principal server,
krb5_keyblock *keyblock,
krb5_flags flags,
krb5_flags *ap_req_options,
krb5_ticket **ticket,
krb5_key_usage usage)
{
krb5_ticket *t;
krb5_auth_context ac;
krb5_error_code ret;
EtypeList etypes;
memset(&etypes, 0, sizeof(etypes));
if(ticket)
*ticket = NULL;
if (auth_context && *auth_context) {
ac = *auth_context;
} else {
ret = krb5_auth_con_init(context, &ac);
if (ret)
return ret;
}
t = calloc(1, sizeof(*t));
if (t == NULL) {
ret = ENOMEM;
krb5_clear_error_message(context);
goto out;
}
if (ap_req->ap_options.use_session_key && ac->keyblock){
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
ac->keyblock,
&t->ticket,
flags);
krb5_free_keyblock(context, ac->keyblock);
ac->keyblock = NULL;
}else
ret = krb5_decrypt_ticket(context, &ap_req->ticket,
keyblock,
&t->ticket,
flags);
if(ret)
goto out;
ret = _krb5_principalname2krb5_principal(context,
&t->server,
ap_req->ticket.sname,
ap_req->ticket.realm);
if (ret) goto out;
ret = _krb5_principalname2krb5_principal(context,
&t->client,
t->ticket.cname,
t->ticket.crealm);
if (ret) goto out;
ret = decrypt_authenticator(context,
&t->ticket.key,
&ap_req->authenticator,
ac->authenticator,
usage);
if (ret)
goto out;
{
krb5_principal p1, p2;
krb5_boolean res;
_krb5_principalname2krb5_principal(context,
&p1,
ac->authenticator->cname,
ac->authenticator->crealm);
_krb5_principalname2krb5_principal(context,
&p2,
t->ticket.cname,
t->ticket.crealm);
res = krb5_principal_compare(context, p1, p2);
krb5_free_principal(context, p1);
krb5_free_principal(context, p2);
if (!res) {
ret = KRB5KRB_AP_ERR_BADMATCH;
krb5_clear_error_message(context);
goto out;
}
}
/* check addresses */
if (t->ticket.caddr
&& ac->remote_address
&& !krb5_address_search(context,
ac->remote_address,
t->ticket.caddr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
krb5_clear_error_message(context);
goto out;
}
/* check timestamp in authenticator */
{
krb5_timestamp now;
krb5_timeofday(context, &now);
if (krb5_time_abs(ac->authenticator->ctime, now) > context->max_skew) {
ret = KRB5KRB_AP_ERR_SKEW;
krb5_clear_error_message(context);
goto out;
}
}
if (ac->authenticator->seq_number)
krb5_auth_con_setremoteseqnumber(context, ac,
*ac->authenticator->seq_number);
/* XXX - Xor sequence numbers */
if (ac->authenticator->subkey) {
ret = krb5_auth_con_setremotesubkey(context, ac,
ac->authenticator->subkey);
if (ret)
goto out;
}
ret = find_etypelist(context, ac, &etypes);
if (ret)
goto out;
ac->keytype = (krb5_keytype)ETYPE_NULL;
if (etypes.val) {
size_t i;
for (i = 0; i < etypes.len; i++) {
if (krb5_enctype_valid(context, etypes.val[i]) == 0) {
ac->keytype = etypes.val[i];
break;
}
}
}
/* save key */
ret = krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock);
if (ret) goto out;
if (ap_req_options) {
*ap_req_options = 0;
if (ac->keytype != ETYPE_NULL)
*ap_req_options |= AP_OPTS_USE_SUBKEY;
if (ap_req->ap_options.use_session_key)
*ap_req_options |= AP_OPTS_USE_SESSION_KEY;
if (ap_req->ap_options.mutual_required)
*ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
}
if(ticket)
*ticket = t;
else
krb5_free_ticket(context, t);
if (auth_context) {
if (*auth_context == NULL)
*auth_context = ac;
} else
krb5_auth_con_free(context, ac);
free_EtypeList(&etypes);
return 0;
out:
free_EtypeList(&etypes);
if (t)
krb5_free_ticket(context, t);
if (auth_context == NULL || *auth_context == NULL)
krb5_auth_con_free(context, ac);
return ret;
}
static int
CommandProc(struct cmd_syndesc *as, void *arock)
{
krb5_principal princ = 0;
char *cell, *pname, **hrealms, *service;
char service_temp[MAXKTCREALMLEN + 20];
krb5_creds incred[1], mcred[1], *outcred = 0, *afscred;
krb5_ccache cc = 0;
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
krb5_get_init_creds_opt *gic_opts;
#else
krb5_get_init_creds_opt gic_opts[1];
#endif
char *tofree = NULL, *outname;
int code;
char *what;
int i, dosetpag, evil, noprdb, id;
#ifdef AFS_RXK5
int authtype;
#endif
krb5_data enc_part[1];
krb5_prompter_fct pf = NULL;
char *pass = 0;
void *pa = 0;
struct kp_arg klog_arg[1];
char passwd[BUFSIZ];
struct afsconf_cell cellconfig[1];
static char rn[] = "klog"; /*Routine name */
static int Pipe = 0; /* reading from a pipe */
static int Silent = 0; /* Don't want error messages */
int writeTicketFile = 0; /* write ticket file to /tmp */
service = 0;
memset(incred, 0, sizeof *incred);
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
memset(klog_arg, 0, sizeof *klog_arg);
/* first determine quiet flag based on -silent switch */
Silent = (as->parms[aSILENT].items ? 1 : 0);
if (Silent) {
afs_set_com_err_hook(silent_errors);
}
if ((code = krb5_init_context(&k5context))) {
afs_com_err(rn, code, "while initializing Kerberos 5 library");
KLOGEXIT(code);
}
if ((code = rx_Init(0))) {
afs_com_err(rn, code, "while initializing rx");
KLOGEXIT(code);
}
initialize_U_error_table();
/*initialize_krb5_error_table();*/
initialize_RXK_error_table();
initialize_KTC_error_table();
initialize_ACFG_error_table();
/* initialize_rx_error_table(); */
if (!(tdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) {
afs_com_err(rn, 0, "can't get afs configuration (afsconf_Open(%s))",
AFSDIR_CLIENT_ETC_DIRPATH);
KLOGEXIT(1);
}
/*
* Enable DES enctypes, which are currently still required for AFS.
* krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is
* Heimdal.
*/
#if defined(HAVE_KRB5_ENCTYPE_ENABLE)
i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
if (i)
krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
#elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
krb5_allow_weak_crypto(k5context, 1);
#endif
/* Parse remaining arguments. */
dosetpag = !! as->parms[aSETPAG].items;
Pipe = !! as->parms[aPIPE].items;
writeTicketFile = !! as->parms[aTMP].items;
noprdb = !! as->parms[aNOPRDB].items;
evil = (always_evil&1) || !! as->parms[aUNWRAP].items;
#ifdef AFS_RXK5
authtype = 0;
if (as->parms[aK5].items)
authtype |= FORCE_RXK5;
if (as->parms[aK4].items)
authtype |= FORCE_RXKAD;
if (!authtype)
authtype |= env_afs_rxk5_default();
#endif
cell = as->parms[aCELL].items ? as->parms[aCELL].items->data : 0;
if ((code = afsconf_GetCellInfo(tdir, cell, "afsprot", cellconfig))) {
if (cell)
afs_com_err(rn, code, "Can't get cell information for '%s'", cell);
else
afs_com_err(rn, code, "Can't get determine local cell!");
KLOGEXIT(code);
}
if (as->parms[aKRBREALM].items) {
code = krb5_set_default_realm(k5context,
as->parms[aKRBREALM].items->data);
if (code) {
afs_com_err(rn, code, "Can't make <%s> the default realm",
as->parms[aKRBREALM].items->data);
KLOGEXIT(code);
}
}
else if ((code = krb5_get_host_realm(k5context, cellconfig->hostName[0], &hrealms))) {
afs_com_err(rn, code, "Can't get realm for host <%s> in cell <%s>\n",
cellconfig->hostName[0], cellconfig->name);
KLOGEXIT(code);
} else {
if (hrealms && *hrealms) {
code = krb5_set_default_realm(k5context,
*hrealms);
if (code) {
afs_com_err(rn, code, "Can't make <%s> the default realm",
*hrealms);
KLOGEXIT(code);
}
}
if (hrealms) krb5_free_host_realm(k5context, hrealms);
}
id = getuid();
if (as->parms[aPRINCIPAL].items) {
pname = as->parms[aPRINCIPAL].items->data;
} else {
/* No explicit name provided: use Unix uid. */
struct passwd *pw;
pw = getpwuid(id);
if (pw == 0) {
afs_com_err(rn, 0,
"Can't figure out your name from your user id (%d).", id);
if (!Silent)
fprintf(stderr, "%s: Try providing the user name.\n", rn);
KLOGEXIT(1);
}
pname = pw->pw_name;
}
code = krb5_parse_name(k5context, pname, &princ);
if (code) {
afs_com_err(rn, code, "Can't parse principal <%s>", pname);
KLOGEXIT(code);
}
if (as->parms[aPASSWORD].items) {
/*
* Current argument is the desired password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
memset(as->parms[aPASSWORD].items->data, 0,
strlen(as->parms[aPASSWORD].items->data));
pass = passwd;
}
/* Get the password if it wasn't provided. */
if (!pass) {
if (Pipe) {
strncpy(passwd, getpipepass(), sizeof(passwd));
pass = passwd;
} else {
pf = klog_prompter;
pa = klog_arg;
}
}
service = 0;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
tofree = get_afs_krb5_svc_princ(cellconfig);
snprintf(service_temp, sizeof service_temp, "%s", tofree);
} else
#endif
snprintf (service_temp, sizeof service_temp, "afs/%s", cellconfig->name);
klog_arg->pp = &pass;
klog_arg->pstore = passwd;
klog_arg->allocated = sizeof(passwd);
/* XXX should allow k5 to prompt in most cases -- what about expired pw?*/
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
code = krb5_get_init_creds_opt_alloc(k5context, &gic_opts);
if (code) {
afs_com_err(rn, code, "Can't allocate get_init_creds options");
KLOGEXIT(code);
}
#else
krb5_get_init_creds_opt_init(gic_opts);
#endif
for (;;) {
code = krb5_get_init_creds_password(k5context,
incred,
princ,
pass,
pf, /* prompter */
pa, /* data */
0, /* start_time */
0, /* in_tkt_service */
gic_opts);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
break;
}
memset(passwd, 0, sizeof(passwd));
if (code) {
char *r = 0;
if (krb5_get_default_realm(k5context, &r))
r = 0;
if (r)
afs_com_err(rn, code, "Unable to authenticate in realm %s", r);
else
afs_com_err(rn, code, "Unable to authenticate to use cell %s",
cellconfig->name);
if (r) free(r);
KLOGEXIT(code);
}
for (;;writeTicketFile = 0) {
if (writeTicketFile) {
what = "getting default ccache";
code = krb5_cc_default(k5context, &cc);
} else {
what = "krb5_cc_resolve";
code = krb5_cc_resolve(k5context, "MEMORY:core", &cc);
if (code) goto Failed;
}
what = "initializing ccache";
code = krb5_cc_initialize(k5context, cc, princ);
if (code) goto Failed;
what = "writing Kerberos ticket file";
code = krb5_cc_store_cred(k5context, cc, incred);
if (code) goto Failed;
if (writeTicketFile)
fprintf(stderr,
"Wrote ticket file to %s\n",
krb5_cc_get_name(k5context, cc));
break;
Failed:
if (code)
afs_com_err(rn, code, "%s", what);
if (writeTicketFile) {
if (cc) {
krb5_cc_close(k5context, cc);
cc = 0;
}
continue;
}
KLOGEXIT(code);
}
for (service = service_temp;;service = "afs") {
memset(mcred, 0, sizeof *mcred);
mcred->client = princ;
code = krb5_parse_name(k5context, service, &mcred->server);
if (code) {
afs_com_err(rn, code, "Unable to parse service <%s>\n", service);
KLOGEXIT(code);
}
if (tofree) { free(tofree); tofree = 0; }
if (!(code = krb5_unparse_name(k5context, mcred->server, &outname)))
tofree = outname;
else outname = service;
code = krb5_get_credentials(k5context, 0, cc, mcred, &outcred);
krb5_free_principal(k5context, mcred->server);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5)
break;
#endif
}
afscred = outcred;
if (code) {
afs_com_err(rn, code, "Unable to get credentials to use %s", outname);
KLOGEXIT(code);
}
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
struct ktc_principal aserver[1];
int viceid = 555;
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
code = ktc_SetK5Token(k5context, aserver, afscred, viceid, dosetpag);
if (code) {
afs_com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
} else
#endif
{
struct ktc_principal aserver[1], aclient[1];
struct ktc_token atoken[1];
memset(atoken, 0, sizeof *atoken);
if (evil) {
size_t elen = enc_part->length;
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY;
if (afs_krb5_skip_ticket_wrapper(afscred->ticket.data,
afscred->ticket.length, (char **) &enc_part->data,
&elen)) {
afs_com_err(rn, 0, "Can't unwrap %s AFS credential",
cellconfig->name);
KLOGEXIT(1);
}
} else {
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
*enc_part = afscred->ticket;
}
atoken->startTime = afscred->times.starttime;
atoken->endTime = afscred->times.endtime;
if (tkt_DeriveDesKey(get_creds_enctype(afscred),
get_cred_keydata(afscred),
get_cred_keylen(afscred), &atoken->sessionKey)) {
afs_com_err(rn, 0,
"Cannot derive DES key from enctype %i of length %u",
get_creds_enctype(afscred),
(unsigned)get_cred_keylen(afscred));
KLOGEXIT(1);
}
memcpy(atoken->ticket, enc_part->data,
atoken->ticketLen = enc_part->length);
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->name, "afs", 4);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
memset(aclient, 0, sizeof *aclient);
i = realm_len(k5context, afscred->client);
if (i > MAXKTCREALMLEN-1) i = MAXKTCREALMLEN-1;
memcpy(aclient->cell, realm_data(k5context, afscred->client), i);
if (!noprdb) {
int viceid = 0;
k5_to_k4_name(k5context, afscred->client, aclient);
code = whoami(atoken, cellconfig, aclient, &viceid);
if (code) {
afs_com_err(rn, code, "Can't get your viceid for cell %s", cellconfig->name);
*aclient->name = 0;
} else
snprintf(aclient->name, MAXKTCNAMELEN-1, "AFS ID %d", viceid);
}
if (!*aclient->name)
k5_to_k4_name(k5context, afscred->client, aclient);
code = ktc_SetToken(aserver, atoken, aclient, dosetpag);
if (code) {
afs_com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
}
krb5_free_principal(k5context, princ);
krb5_free_cred_contents(k5context, incred);
if (outcred) krb5_free_creds(k5context, outcred);
if (cc)
krb5_cc_close(k5context, cc);
if (tofree) free(tofree);
return 0;
}
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_c_valid_enctype (krb5_enctype etype)
{
return krb5_enctype_valid(NULL, etype);
}
krb5_error_code
_kdc_pk_mk_pa_reply(krb5_context context,
krb5_kdc_configuration *config,
pk_client_params *client_params,
const hdb_entry_ex *client,
const KDC_REQ *req,
const krb5_data *req_buffer,
krb5_keyblock **reply_key,
METHOD_DATA *md)
{
krb5_error_code ret;
void *buf;
size_t len, size;
krb5_enctype enctype;
int pa_type;
hx509_cert kdc_cert = NULL;
int i;
if (!config->enable_pkinit) {
krb5_clear_error_message(context);
return 0;
}
if (req->req_body.etype.len > 0) {
for (i = 0; i < req->req_body.etype.len; i++)
if (krb5_enctype_valid(context, req->req_body.etype.val[i]) == 0)
break;
if (req->req_body.etype.len <= i) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"No valid enctype available from client");
goto out;
}
enctype = req->req_body.etype.val[i];
} else
enctype = ETYPE_DES3_CBC_SHA1;
if (client_params->type == PKINIT_27) {
PA_PK_AS_REP rep;
const char *type, *other = "";
memset(&rep, 0, sizeof(rep));
pa_type = KRB5_PADATA_PK_AS_REP;
if (client_params->dh == NULL) {
ContentInfo info;
type = "enckey";
rep.element = choice_PA_PK_AS_REP_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
config,
client_params,
req,
req_buffer,
&client_params->reply_key,
&info);
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
rep.u.encKeyPack.length, &info, &size,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
} else {
ContentInfo info;
type = "dh";
if (client_params->dh_group_name)
other = client_params->dh_group_name;
rep.element = choice_PA_PK_AS_REP_dhInfo;
ret = generate_dh_keyblock(context, client_params, enctype,
&client_params->reply_key);
if (ret)
return ret;
ret = pk_mk_pa_reply_dh(context, client_params->dh,
client_params,
&client_params->reply_key,
&info,
&kdc_cert);
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data,
rep.u.dhInfo.dhSignedData.length, &info, &size,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
}
if (ret) {
free_PA_PK_AS_REP(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(PA_PK_AS_REP, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP(&rep);
if (ret) {
krb5_set_error_message(context, ret, "encode PA-PK-AS-REP failed %d",
ret);
goto out;
}
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
kdc_log(context, config, 0, "PK-INIT using %s %s", type, other);
} else if (client_params->type == PKINIT_WIN2K) {
PA_PK_AS_REP_Win2k rep;
ContentInfo info;
if (client_params->dh) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "Windows PK-INIT doesn't support DH");
goto out;
}
memset(&rep, 0, sizeof(rep));
pa_type = KRB5_PADATA_PK_AS_REP_19;
rep.element = choice_PA_PK_AS_REP_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype,
&client_params->reply_key);
if (ret) {
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
ret = pk_mk_pa_reply_enckey(context,
config,
client_params,
req,
req_buffer,
&client_params->reply_key,
&info);
if (ret) {
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data,
rep.u.encKeyPack.length, &info, &size,
ret);
free_ContentInfo(&info);
if (ret) {
krb5_set_error_message(context, ret, "encoding of Key ContentInfo "
"failed %d", ret);
free_PA_PK_AS_REP_Win2k(&rep);
goto out;
}
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
free_PA_PK_AS_REP_Win2k(&rep);
if (ret) {
krb5_set_error_message(context, ret,
"encode PA-PK-AS-REP-Win2k failed %d", ret);
goto out;
}
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
} else
krb5_abortx(context, "PK-INIT internal error");
ret = krb5_padata_add(context, md, pa_type, buf, len);
if (ret) {
krb5_set_error_message(context, ret, "failed adding PA-PK-AS-REP %d", ret);
free(buf);
goto out;
}
if (config->pkinit_kdc_ocsp_file) {
if (ocsp.expire == 0 && ocsp.next_update > kdc_time) {
struct stat sb;
int fd;
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
ocsp.next_update = kdc_time + 60 * 5;
fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
if (fd < 0) {
kdc_log(context, config, 0,
"PK-INIT failed to open ocsp data file %d", errno);
goto out_ocsp;
}
ret = fstat(fd, &sb);
if (ret) {
ret = errno;
close(fd);
kdc_log(context, config, 0,
"PK-INIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
ret = krb5_data_alloc(&ocsp.data, sb.st_size);
if (ret) {
close(fd);
kdc_log(context, config, 0,
"PK-INIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
ocsp.data.length = sb.st_size;
ret = read(fd, ocsp.data.data, sb.st_size);
close(fd);
if (ret != sb.st_size) {
kdc_log(context, config, 0,
"PK-INIT failed to read ocsp data %d", errno);
goto out_ocsp;
}
ret = hx509_ocsp_verify(kdc_identity->hx509ctx,
kdc_time,
kdc_cert,
0,
ocsp.data.data, ocsp.data.length,
&ocsp.expire);
if (ret) {
kdc_log(context, config, 0,
"PK-INIT failed to verify ocsp data %d", ret);
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
} else if (ocsp.expire > 180) {
ocsp.expire -= 180; /* refetch the ocsp before it expire */
ocsp.next_update = ocsp.expire;
} else {
ocsp.next_update = kdc_time;
}
out_ocsp:
ret = 0;
}
if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
ret = krb5_padata_add(context, md,
KRB5_PADATA_PA_PK_OCSP_RESPONSE,
ocsp.data.data, ocsp.data.length);
if (ret) {
krb5_set_error_message(context, ret,
"Failed adding OCSP response %d", ret);
goto out;
}
}
}
out:
if (kdc_cert)
hx509_cert_free(kdc_cert);
if (ret == 0)
*reply_key = &client_params->reply_key;
return ret;
}
krb5_error_code
_kdc_as_rep(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
const krb5_data *req_buffer,
krb5_data *reply,
const char *from,
struct sockaddr *from_addr,
int datagram_reply)
{
KDC_REQ_BODY *b = &req->req_body;
AS_REP rep;
KDCOptions f = b->kdc_options;
hdb_entry_ex *client = NULL, *server = NULL;
HDB *clientdb;
krb5_enctype cetype, setype, sessionetype;
krb5_data e_data;
EncTicketPart et;
EncKDCRepPart ek;
krb5_principal client_princ = NULL, server_princ = NULL;
char *client_name = NULL, *server_name = NULL;
krb5_error_code ret = 0;
const char *e_text = NULL;
krb5_crypto crypto;
Key *ckey, *skey;
EncryptionKey *reply_key;
int flags = 0;
#ifdef PKINIT
pk_client_params *pkp = NULL;
#endif
memset(&rep, 0, sizeof(rep));
krb5_data_zero(&e_data);
if (f.canonicalize)
flags |= HDB_F_CANON;
if(b->sname == NULL){
ret = KRB5KRB_ERR_GENERIC;
e_text = "No server in request";
} else{
ret = _krb5_principalname2krb5_principal (context,
&server_princ,
*(b->sname),
b->realm);
if (ret == 0)
ret = krb5_unparse_name(context, server_princ, &server_name);
}
if (ret) {
kdc_log(context, config, 0,
"AS-REQ malformed server name from %s", from);
goto out;
}
if(b->cname == NULL){
ret = KRB5KRB_ERR_GENERIC;
e_text = "No client in request";
} else {
ret = _krb5_principalname2krb5_principal (context,
&client_princ,
*(b->cname),
b->realm);
if (ret)
goto out;
ret = krb5_unparse_name(context, client_princ, &client_name);
}
if (ret) {
kdc_log(context, config, 0,
"AS-REQ malformed client name from %s", from);
goto out;
}
kdc_log(context, config, 0, "AS-REQ %s from %s for %s",
client_name, from, server_name);
/*
*
*/
if (_kdc_is_anonymous(context, client_princ)) {
if (!b->kdc_options.request_anonymous) {
kdc_log(context, config, 0, "Anonymous ticket w/o anonymous flag");
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
} else if (b->kdc_options.request_anonymous) {
kdc_log(context, config, 0,
"Request for a anonymous ticket with non "
"anonymous client name: %s", client_name);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
/*
*
*/
ret = _kdc_db_fetch(context, config, client_princ,
HDB_F_GET_CLIENT | flags, &clientdb, &client);
if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
krb5_get_err_text(context, ret));
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto out;
}
ret = _kdc_db_fetch(context, config, server_princ,
HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
NULL, &server);
if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name,
krb5_get_err_text(context, ret));
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto out;
}
memset(&et, 0, sizeof(et));
memset(&ek, 0, sizeof(ek));
/*
* Find the client key for reply encryption and pa-type salt, Pick
* the client key upfront before the other keys because that is
* going to affect what enctypes we are going to use in
* ETYPE-INFO{,2}.
*/
ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
&ckey, &cetype);
if (ret) {
kdc_log(context, config, 0,
"Client (%s) has no support for etypes", client_name);
goto out;
}
/*
* Pre-auth processing
*/
if(req->padata){
int i;
const PA_DATA *pa;
int found_pa = 0;
log_patypes(context, config, req->padata);
#ifdef PKINIT
kdc_log(context, config, 5,
"Looking for PKINIT pa-data -- %s", client_name);
e_text = "No PKINIT PA found";
i = 0;
pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ);
if (pa == NULL) {
i = 0;
pa = _kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN);
}
if (pa) {
char *client_cert = NULL;
ret = _kdc_pk_rd_padata(context, config, req, pa, client, &pkp);
if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 5,
"Failed to decode PKINIT PA-DATA -- %s",
client_name);
goto ts_enc;
}
if (ret == 0 && pkp == NULL)
goto ts_enc;
ret = _kdc_pk_check_client(context,
config,
client,
pkp,
&client_cert);
if (ret) {
e_text = "PKINIT certificate not allowed to "
"impersonate principal";
_kdc_pk_free_client_param(context, pkp);
kdc_log(context, config, 0, "%s", e_text);
pkp = NULL;
goto out;
}
found_pa = 1;
et.flags.pre_authent = 1;
kdc_log(context, config, 0,
"PKINIT pre-authentication succeeded -- %s using %s",
client_name, client_cert);
free(client_cert);
if (pkp)
goto preauth_done;
}
ts_enc:
#endif
kdc_log(context, config, 5, "Looking for ENC-TS pa-data -- %s",
client_name);
i = 0;
e_text = "No ENC-TS found";
while((pa = _kdc_find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){
krb5_data ts_data;
PA_ENC_TS_ENC p;
size_t len;
EncryptedData enc_data;
Key *pa_key;
char *str;
found_pa = 1;
if (b->kdc_options.request_anonymous) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 0, "ENC-TS doesn't support anon");
goto out;
}
ret = decode_EncryptedData(pa->padata_value.data,
pa->padata_value.length,
&enc_data,
&len);
if (ret) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 5, "Failed to decode PA-DATA -- %s",
client_name);
goto out;
}
ret = hdb_enctype2key(context, &client->entry,
enc_data.etype, &pa_key);
if(ret){
char *estr;
e_text = "No key matches pa-data";
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if(krb5_enctype_to_string(context, enc_data.etype, &estr))
estr = NULL;
if(estr == NULL)
kdc_log(context, config, 5,
"No client key matching pa-data (%d) -- %s",
enc_data.etype, client_name);
else
kdc_log(context, config, 5,
"No client key matching pa-data (%s) -- %s",
estr, client_name);
free(estr);
free_EncryptedData(&enc_data);
continue;
}
try_next_key:
ret = krb5_crypto_init(context, &pa_key->key, 0, &crypto);
if (ret) {
kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
free_EncryptedData(&enc_data);
continue;
}
ret = krb5_decrypt_EncryptedData (context,
crypto,
KRB5_KU_PA_ENC_TIMESTAMP,
&enc_data,
&ts_data);
krb5_crypto_destroy(context, crypto);
/*
* Since the user might have several keys with the same
* enctype but with diffrent salting, we need to try all
* the keys with the same enctype.
*/
if(ret){
krb5_error_code ret2;
ret2 = krb5_enctype_to_string(context,
pa_key->key.keytype, &str);
if (ret2)
str = NULL;
kdc_log(context, config, 5,
"Failed to decrypt PA-DATA -- %s "
"(enctype %s) error %s",
client_name,
str ? str : "unknown enctype",
krb5_get_err_text(context, ret));
free(str);
if(hdb_next_enctype2key(context, &client->entry,
enc_data.etype, &pa_key) == 0)
goto try_next_key;
e_text = "Failed to decrypt PA-DATA";
free_EncryptedData(&enc_data);
if (clientdb->hdb_auth_status)
(clientdb->hdb_auth_status)(context, clientdb, client, HDB_AUTH_WRONG_PASSWORD);
ret = KRB5KDC_ERR_PREAUTH_FAILED;
continue;
}
free_EncryptedData(&enc_data);
ret = decode_PA_ENC_TS_ENC(ts_data.data,
ts_data.length,
&p,
&len);
krb5_data_free(&ts_data);
if(ret){
e_text = "Failed to decode PA-ENC-TS-ENC";
ret = KRB5KDC_ERR_PREAUTH_FAILED;
kdc_log(context, config,
5, "Failed to decode PA-ENC-TS_ENC -- %s",
client_name);
continue;
}
free_PA_ENC_TS_ENC(&p);
if (abs(kdc_time - p.patimestamp) > context->max_skew) {
char client_time[100];
krb5_format_time(context, p.patimestamp,
client_time, sizeof(client_time), TRUE);
ret = KRB5KRB_AP_ERR_SKEW;
kdc_log(context, config, 0,
"Too large time skew, "
"client time %s is out by %u > %u seconds -- %s",
client_time,
(unsigned)abs(kdc_time - p.patimestamp),
context->max_skew,
client_name);
#if 0
/* This code is from samba, needs testing */
/*
* the following is needed to make windows clients
* to retry using the timestamp in the error message
*
* this is maybe a bug in windows to not trying when e_text
* is present...
*/
e_text = NULL;
#else
e_text = "Too large time skew";
#endif
goto out;
}
et.flags.pre_authent = 1;
ret = krb5_enctype_to_string(context,pa_key->key.keytype, &str);
if (ret)
str = NULL;
kdc_log(context, config, 2,
"ENC-TS Pre-authentication succeeded -- %s using %s",
client_name, str ? str : "unknown enctype");
free(str);
break;
}
#ifdef PKINIT
preauth_done:
#endif
if(found_pa == 0 && config->require_preauth)
goto use_pa;
/* We come here if we found a pa-enc-timestamp, but if there
was some problem with it, other than too large skew */
if(found_pa && et.flags.pre_authent == 0){
kdc_log(context, config, 0, "%s -- %s", e_text, client_name);
e_text = NULL;
goto out;
}
}else if (config->require_preauth
|| b->kdc_options.request_anonymous /* hack to force anon */
|| client->entry.flags.require_preauth
|| server->entry.flags.require_preauth) {
METHOD_DATA method_data;
PA_DATA *pa;
unsigned char *buf;
size_t len;
use_pa:
method_data.len = 0;
method_data.val = NULL;
ret = realloc_method_data(&method_data);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_ENC_TIMESTAMP;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
#ifdef PKINIT
ret = realloc_method_data(&method_data);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_PK_AS_REQ;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
ret = realloc_method_data(&method_data);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_PK_AS_REQ_WIN;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
#endif
/*
* If there is a client key, send ETYPE_INFO{,2}
*/
if (ckey) {
/*
* RFC4120 requires:
* - If the client only knows about old enctypes, then send
* both info replies (we send 'info' first in the list).
* - If the client is 'modern', because it knows about 'new'
* enctype types, then only send the 'info2' reply.
*
* Before we send the full list of etype-info data, we pick
* the client key we would have used anyway below, just pick
* that instead.
*/
if (older_enctype(ckey->key.keytype)) {
ret = get_pa_etype_info(context, config,
&method_data, ckey);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
}
ret = get_pa_etype_info2(context, config,
&method_data, ckey);
if (ret) {
free_METHOD_DATA(&method_data);
goto out;
}
}
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
free_METHOD_DATA(&method_data);
e_data.data = buf;
e_data.length = len;
e_text ="Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
kdc_log(context, config, 0,
"No preauth found, returning PREAUTH-REQUIRED -- %s",
client_name);
goto out;
}
if (clientdb->hdb_auth_status)
(clientdb->hdb_auth_status)(context, clientdb, client,
HDB_AUTH_SUCCESS);
/*
* Verify flags after the user been required to prove its identity
* with in a preauth mech.
*/
ret = _kdc_check_access(context, config, client, client_name,
server, server_name,
req, &e_data);
if(ret)
goto out;
/*
* Selelct the best encryption type for the KDC with out regard to
* the client since the client never needs to read that data.
*/
ret = _kdc_get_preferred_key(context, config,
server, server_name,
&setype, &skey);
if(ret)
goto out;
/*
* Select a session enctype from the list of the crypto systems
* supported enctype, is supported by the client and is one of the
* enctype of the enctype of the krbtgt.
*
* The later is used as a hint what enctype all KDC are supporting
* to make sure a newer version of KDC wont generate a session
* enctype that and older version of a KDC in the same realm can't
* decrypt.
*
* But if the KDC admin is paranoid and doesn't want to have "no
* the best" enctypes on the krbtgt, lets save the best pick from
* the client list and hope that that will work for any other
* KDCs.
*/
{
const krb5_enctype *p;
krb5_enctype clientbest = ETYPE_NULL;
int i, j;
p = krb5_kerberos_enctypes(context);
sessionetype = ETYPE_NULL;
for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
Key *dummy;
/* check with client */
if (p[i] != b->etype.val[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
/* check with krbtgt */
ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
if (ret)
continue;
sessionetype = p[i];
}
}
/* if krbtgt had no shared keys with client, pick clients best */
if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
sessionetype = clientbest;
} else if (sessionetype == ETYPE_NULL) {
kdc_log(context, config, 0,
"Client (%s) from %s has no common enctypes with KDC"
"to use for the session key",
client_name, from);
goto out;
}
}
log_as_req(context, config, cetype, setype, b);
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey
|| (f.request_anonymous && !config->allow_anonymous)) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 0, "Bad KDC options -- %s", client_name);
goto out;
}
rep.pvno = 5;
rep.msg_type = krb_as_rep;
ret = copy_Realm(&client->entry.principal->realm, &rep.crealm);
if (ret)
goto out;
ret = _krb5_principal2principalname(&rep.cname, client->entry.principal);
if (ret)
goto out;
rep.ticket.tkt_vno = 5;
copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
_krb5_principal2principalname(&rep.ticket.sname,
server->entry.principal);
/* java 1.6 expects the name to be the same type, lets allow that
* uncomplicated name-types. */
#define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
rep.ticket.sname.name_type = b->sname->name_type;
#undef CNT
et.flags.initial = 1;
if(client->entry.flags.forwardable && server->entry.flags.forwardable)
et.flags.forwardable = f.forwardable;
else if (f.forwardable) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be forwardable -- %s", client_name);
goto out;
}
if(client->entry.flags.proxiable && server->entry.flags.proxiable)
et.flags.proxiable = f.proxiable;
else if (f.proxiable) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be proxiable -- %s", client_name);
goto out;
}
if(client->entry.flags.postdate && server->entry.flags.postdate)
et.flags.may_postdate = f.allow_postdate;
else if (f.allow_postdate){
ret = KRB5KDC_ERR_POLICY;
kdc_log(context, config, 0,
"Ticket may not be postdatable -- %s", client_name);
goto out;
}
/* check for valid set of addresses */
if(!_kdc_check_addresses(context, config, b->addresses, from_addr)) {
ret = KRB5KRB_AP_ERR_BADADDR;
kdc_log(context, config, 0,
"Bad address list requested -- %s", client_name);
goto out;
}
ret = copy_PrincipalName(&rep.cname, &et.cname);
if (ret)
goto out;
ret = copy_Realm(&rep.crealm, &et.crealm);
if (ret)
goto out;
{
time_t start;
time_t t;
start = et.authtime = kdc_time;
if(f.postdated && req->req_body.from){
ALLOC(et.starttime);
start = *et.starttime = *req->req_body.from;
et.flags.invalid = 1;
et.flags.postdated = 1; /* XXX ??? */
}
_kdc_fix_time(&b->till);
t = *b->till;
/* be careful not overflowing */
if(client->entry.max_life)
t = start + min(t - start, *client->entry.max_life);
if(server->entry.max_life)
t = start + min(t - start, *server->entry.max_life);
#if 0
t = min(t, start + realm->max_life);
#endif
et.endtime = t;
if(f.renewable_ok && et.endtime < *b->till){
f.renewable = 1;
if(b->rtime == NULL){
ALLOC(b->rtime);
*b->rtime = 0;
}
if(*b->rtime < *b->till)
*b->rtime = *b->till;
}
if(f.renewable && b->rtime){
t = *b->rtime;
if(t == 0)
t = MAX_TIME;
if(client->entry.max_renew)
t = start + min(t - start, *client->entry.max_renew);
if(server->entry.max_renew)
t = start + min(t - start, *server->entry.max_renew);
#if 0
t = min(t, start + realm->max_renew);
#endif
ALLOC(et.renew_till);
*et.renew_till = t;
et.flags.renewable = 1;
}
}
if (f.request_anonymous)
et.flags.anonymous = 1;
if(b->addresses){
ALLOC(et.caddr);
copy_HostAddresses(b->addresses, et.caddr);
}
et.transited.tr_type = DOMAIN_X500_COMPRESS;
krb5_data_zero(&et.transited.contents);
/* The MIT ASN.1 library (obviously) doesn't tell lengths encoded
* as 0 and as 0x80 (meaning indefinite length) apart, and is thus
* incapable of correctly decoding SEQUENCE OF's of zero length.
*
* To fix this, always send at least one no-op last_req
*
* If there's a pw_end or valid_end we will use that,
* otherwise just a dummy lr.
*/
ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
if (ek.last_req.val == NULL) {
ret = ENOMEM;
goto out;
}
ek.last_req.len = 0;
if (client->entry.pw_end
&& (config->kdc_warn_pwexpire == 0
|| kdc_time + config->kdc_warn_pwexpire >= *client->entry.pw_end)) {
ek.last_req.val[ek.last_req.len].lr_type = LR_PW_EXPTIME;
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.pw_end;
++ek.last_req.len;
}
if (client->entry.valid_end) {
ek.last_req.val[ek.last_req.len].lr_type = LR_ACCT_EXPTIME;
ek.last_req.val[ek.last_req.len].lr_value = *client->entry.valid_end;
++ek.last_req.len;
}
if (ek.last_req.len == 0) {
ek.last_req.val[ek.last_req.len].lr_type = LR_NONE;
ek.last_req.val[ek.last_req.len].lr_value = 0;
++ek.last_req.len;
}
ek.nonce = b->nonce;
if (client->entry.valid_end || client->entry.pw_end) {
ALLOC(ek.key_expiration);
if (client->entry.valid_end) {
if (client->entry.pw_end)
*ek.key_expiration = min(*client->entry.valid_end,
*client->entry.pw_end);
else
*ek.key_expiration = *client->entry.valid_end;
} else
*ek.key_expiration = *client->entry.pw_end;
} else
ek.key_expiration = NULL;
ek.flags = et.flags;
ek.authtime = et.authtime;
if (et.starttime) {
ALLOC(ek.starttime);
*ek.starttime = *et.starttime;
}
ek.endtime = et.endtime;
if (et.renew_till) {
ALLOC(ek.renew_till);
*ek.renew_till = *et.renew_till;
}
copy_Realm(&rep.ticket.realm, &ek.srealm);
copy_PrincipalName(&rep.ticket.sname, &ek.sname);
if(et.caddr){
ALLOC(ek.caddr);
copy_HostAddresses(et.caddr, ek.caddr);
}
ALLOC(rep.padata);
rep.padata->len = 0;
rep.padata->val = NULL;
#if PKINIT
if (pkp) {
e_text = "Failed to build PK-INIT reply";
ret = _kdc_pk_mk_pa_reply(context, config, pkp, client,
sessionetype, req, req_buffer,
&reply_key, &et.key, rep.padata);
if (ret)
goto out;
ret = _kdc_add_inital_verified_cas(context,
config,
pkp,
&et);
if (ret)
goto out;
} else
#endif
if (ckey) {
reply_key = &ckey->key;
ret = krb5_generate_random_keyblock(context, sessionetype, &et.key);
if (ret)
goto out;
} else {
e_text = "Client have no reply key";
ret = KRB5KDC_ERR_CLIENT_NOTYET;
goto out;
}
ret = copy_EncryptionKey(&et.key, &ek.key);
if (ret)
goto out;
if (ckey)
set_salt_padata (rep.padata, ckey->salt);
/* Add signing of alias referral */
if (f.canonicalize) {
PA_ClientCanonicalized canon;
krb5_data data;
PA_DATA pa;
krb5_crypto crypto;
size_t len;
memset(&canon, 0, sizeof(canon));
canon.names.requested_name = *b->cname;
canon.names.mapped_name = client->entry.principal->name;
ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
&canon.names, &len, ret);
if (ret)
goto out;
if (data.length != len)
krb5_abortx(context, "internal asn.1 error");
/* sign using "returned session key" */
ret = krb5_crypto_init(context, &et.key, 0, &crypto);
if (ret) {
free(data.data);
goto out;
}
ret = krb5_create_checksum(context, crypto,
KRB5_KU_CANONICALIZED_NAMES, 0,
data.data, data.length,
&canon.canon_checksum);
free(data.data);
krb5_crypto_destroy(context, crypto);
if (ret)
goto out;
ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
&canon, &len, ret);
free_Checksum(&canon.canon_checksum);
if (ret)
goto out;
if (data.length != len)
krb5_abortx(context, "internal asn.1 error");
pa.padata_type = KRB5_PADATA_CLIENT_CANONICALIZED;
pa.padata_value = data;
ret = add_METHOD_DATA(rep.padata, &pa);
free(data.data);
if (ret)
goto out;
}
if (rep.padata->len == 0) {
free(rep.padata);
rep.padata = NULL;
}
/* Add the PAC */
if (send_pac_p(context, req)) {
krb5_pac p = NULL;
krb5_data data;
ret = _kdc_pac_generate(context, client, &p);
if (ret) {
kdc_log(context, config, 0, "PAC generation failed for -- %s",
client_name);
goto out;
}
if (p != NULL) {
ret = _krb5_pac_sign(context, p, et.authtime,
client->entry.principal,
&skey->key, /* Server key */
&skey->key, /* FIXME: should be krbtgt key */
&data);
krb5_pac_free(context, p);
if (ret) {
kdc_log(context, config, 0, "PAC signing failed for -- %s",
client_name);
goto out;
}
ret = _kdc_tkt_add_if_relevant_ad(context, &et,
KRB5_AUTHDATA_WIN2K_PAC,
&data);
krb5_data_free(&data);
if (ret)
goto out;
}
}
_kdc_log_timestamp(context, config, "AS-REQ", et.authtime, et.starttime,
et.endtime, et.renew_till);
/* do this as the last thing since this signs the EncTicketPart */
ret = _kdc_add_KRB5SignedPath(context,
config,
server,
setype,
NULL,
NULL,
&et);
if (ret)
goto out;
ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, setype, server->entry.kvno,
&skey->key, client->entry.kvno,
reply_key, &e_text, reply);
free_EncTicketPart(&et);
free_EncKDCRepPart(&ek);
if (ret)
goto out;
/* */
if (datagram_reply && reply->length > config->max_datagram_reply_length) {
krb5_data_free(reply);
ret = KRB5KRB_ERR_RESPONSE_TOO_BIG;
e_text = "Reply packet too large";
}
out:
free_AS_REP(&rep);
if(ret){
krb5_mk_error(context,
ret,
e_text,
(e_data.data ? &e_data : NULL),
client_princ,
server_princ,
NULL,
NULL,
reply);
ret = 0;
}
#ifdef PKINIT
if (pkp)
_kdc_pk_free_client_param(context, pkp);
#endif
if (e_data.data)
free(e_data.data);
if (client_princ)
krb5_free_principal(context, client_princ);
free(client_name);
if (server_princ)
krb5_free_principal(context, server_princ);
free(server_name);
if(client)
_kdc_free_ent(context, client);
if(server)
_kdc_free_ent(context, server);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_credentials_with_flags(krb5_context context,
krb5_flags options,
krb5_kdc_flags flags,
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_creds **out_creds)
{
krb5_error_code ret;
krb5_creds **tgts;
krb5_creds *res_creds;
int i;
if (in_creds->session.keytype) {
ret = krb5_enctype_valid(context, in_creds->session.keytype);
if (ret)
return ret;
}
*out_creds = NULL;
res_creds = calloc(1, sizeof(*res_creds));
if (res_creds == NULL) {
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
if (in_creds->session.keytype)
options |= KRB5_TC_MATCH_KEYTYPE;
/*
* If we got a credential, check if credential is expired before
* returning it.
*/
ret = krb5_cc_retrieve_cred(context,
ccache,
in_creds->session.keytype ?
KRB5_TC_MATCH_KEYTYPE : 0,
in_creds, res_creds);
/*
* If we got a credential, check if credential is expired before
* returning it, but only if KRB5_GC_EXPIRED_OK is not set.
*/
if (ret == 0) {
krb5_timestamp timeret;
/* If expired ok, don't bother checking */
if(options & KRB5_GC_EXPIRED_OK) {
*out_creds = res_creds;
return 0;
}
krb5_timeofday(context, &timeret);
if(res_creds->times.endtime > timeret) {
*out_creds = res_creds;
return 0;
}
if(options & KRB5_GC_CACHED)
krb5_cc_remove_cred(context, ccache, 0, res_creds);
} else if(ret != KRB5_CC_END) {
free(res_creds);
return ret;
}
free(res_creds);
if(options & KRB5_GC_CACHED)
return not_found(context, in_creds->server, KRB5_CC_NOTFOUND);
if(options & KRB5_GC_USER_USER)
flags.b.enc_tkt_in_skey = 1;
if (flags.b.enc_tkt_in_skey)
options |= KRB5_GC_NO_STORE;
tgts = NULL;
ret = _krb5_get_cred_kdc_any(context, flags, ccache,
in_creds, NULL, NULL, out_creds, &tgts);
for(i = 0; tgts && tgts[i]; i++) {
krb5_cc_store_cred(context, ccache, tgts[i]);
krb5_free_creds(context, tgts[i]);
}
free(tgts);
if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
krb5_cc_store_cred(context, ccache, *out_creds);
return ret;
}
krb5_error_code
_kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
krb5_boolean is_preauth, hdb_entry_ex *princ,
krb5_enctype *etypes, unsigned len,
krb5_enctype *ret_enctype, Key **ret_key)
{
krb5_error_code ret;
krb5_salt def_salt;
krb5_enctype enctype = ETYPE_NULL;
Key *key;
int i;
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt);
if (ret)
return ret;
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if (use_strongest_session_key) {
const krb5_enctype *p;
krb5_enctype clientbest = ETYPE_NULL;
int j;
/*
* Pick the strongest key that the KDC, target service, and
* client all support, using the local cryptosystem enctype
* list in strongest-to-weakest order to drive the search.
*
* This is not what RFC4120 says to do, but it encourages
* adoption of stronger enctypes. This doesn't play well with
* clients that have multiple Kerberos client implementations
* available with different supported enctype lists.
*/
/* drive the search with local supported enctypes list */
p = krb5_kerberos_enctypes(context);
for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
/* check that the client supports it too */
for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
if (p[i] != etypes[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
/* check target princ support */
ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
if (ret)
continue;
if (is_preauth && !is_default_salt_p(&def_salt, key))
continue;
enctype = p[i];
}
}
if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
enctype = clientbest;
else if (enctype == ETYPE_NULL)
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if (ret == 0 && ret_enctype != NULL)
*ret_enctype = enctype;
if (ret == 0 && ret_key != NULL)
*ret_key = key;
} else {
/*
* Pick the first key from the client's enctype list that is
* supported by the cryptosystem and by the given principal.
*
* RFC4120 says we SHOULD pick the first _strong_ key from the
* client's list... not the first key... If the admin disallows
* weak enctypes in krb5.conf and selects this key selection
* algorithm, then we get exactly what RFC4120 says.
*/
for(key = NULL, i = 0; ret != 0 && i < len; i++, key = NULL) {
if (krb5_enctype_valid(context, etypes[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
continue;
while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
continue;
}
if (ret_key != NULL)
*ret_key = key;
if (ret_enctype != NULL)
*ret_enctype = etypes[i];
ret = 0;
if (is_preauth && is_default_salt_p(&def_salt, key))
goto out;
}
}
}
out:
krb5_free_salt (context, def_salt);
return ret;
}
int main(int argc, char *argv[])
{
int status = AKLOG_SUCCESS;
int i;
int somethingswrong = FALSE;
cellinfo_t cellinfo;
extern char *progname; /* Name of this program */
extern int dflag; /* Debug mode */
int cmode = FALSE; /* Cellname mode */
int pmode = FALSE; /* Path name mode */
char realm[REALM_SZ]; /* Kerberos realm of afs server */
char cell[BUFSIZ]; /* Cell to which we are authenticating */
char path[MAXPATHLEN + 1]; /* Path length for path mode */
linked_list cells; /* List of cells to log to */
linked_list paths; /* List of paths to log to */
ll_node *cur_node;
memset(&cellinfo, 0, sizeof(cellinfo));
memset(realm, 0, sizeof(realm));
memset(cell, 0, sizeof(cell));
memset(path, 0, sizeof(path));
ll_init(&cells);
ll_init(&paths);
/* Store the program name here for error messages */
if (progname = LastComponent(argv[0]))
progname++;
else
progname = argv[0];
/* Initialize list of cells to which we have authenticated */
(void)ll_init(&authedcells);
/* Parse commandline arguments and make list of what to do. */
for (i = 1; i < argc; i++)
{
if (strcmp(argv[i], "-d") == 0)
dflag++;
else if (strcmp(argv[i], "-5") == 0)
usev5++;
#ifdef HAVE_KRB4
else if (strcmp(argv[i], "-m") == 0)
use524++;
else if (strcmp(argv[i], "-4") == 0)
usev5 = 0;
#endif
else if (strcmp(argv[i], "-noprdb") == 0)
noprdb++;
else if (strcmp(argv[i], "-force") == 0)
force++;
else if (((strcmp(argv[i], "-cell") == 0) ||
(strcmp(argv[i], "-c") == 0)) && !pmode)
{
if (++i < argc)
{
cmode++;
strcpy(cell, argv[i]);
}
else
usage();
}
else if (((strcmp(argv[i], "-path") == 0) ||
(strcmp(argv[i], "-p") == 0)) && !cmode)
{
if (++i < argc)
{
pmode++;
strcpy(path, argv[i]);
}
else
usage();
}
else if (argv[i][0] == '-')
usage();
else if (!pmode && !cmode)
{
if (FirstComponent(argv[i]) || (strcmp(argv[i], ".") == 0) ||
(strcmp(argv[i], "..") == 0))
{
pmode++;
strcpy(path, argv[i]);
}
else
{
cmode++;
strcpy(cell, argv[i]);
}
}
else
usage();
if (cmode)
{
if (((i + 1) < argc) && (strcmp(argv[i + 1], "-k") == 0))
{
i += 2;
if (i < argc)
strcpy(realm, argv[i]);
else
usage();
}
/* Add this cell to list of cells */
strcpy(cellinfo.cell, cell);
strcpy(cellinfo.realm, realm);
if (cur_node = ll_add_node(&cells, ll_tail))
{
char *new_cellinfo;
if (new_cellinfo = copy_cellinfo(&cellinfo))
ll_add_data(cur_node, new_cellinfo);
else
{
fprintf(stderr, "%s: failure copying cellinfo.\n", progname);
akexit(AKLOG_MISC);
}
}
else
{
fprintf(stderr, "%s: failure adding cell to cells list.\n",
progname);
akexit(AKLOG_MISC);
}
memset(&cellinfo, 0, sizeof(cellinfo));
cmode = FALSE;
memset(cell, 0, sizeof(cell));
memset(realm, 0, sizeof(realm));
}
else if (pmode)
{
/* Add this path to list of paths */
if (cur_node = ll_add_node(&paths, ll_tail))
{
char *new_path;
if (new_path = strdup(path))
ll_add_data(cur_node, new_path);
else
{
fprintf(stderr, "%s: failure copying path name.\n",
progname);
akexit(AKLOG_MISC);
}
}
else
{
fprintf(stderr, "%s: failure adding path to paths list.\n",
progname);
akexit(AKLOG_MISC);
}
pmode = FALSE;
memset(path, 0, sizeof(path));
}
}
if (!noprdb)
initialize_PT_error_table();
if (usev5) {
validate_krb5_availability();
if (krb5_init_context(&context))
return(AKLOG_KERBEROS);
if (krb5_enctype_valid(context, ETYPE_DES_CBC_CRC))
krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
} else
validate_krb4_availability();
afs_set_com_err_hook(redirect_errors);
/* If nothing was given, log to the local cell. */
if ((cells.nelements + paths.nelements) == 0)
status = auth_to_cell(context, NULL, NULL);
else
{
/* Log to all cells in the cells list first */
for (cur_node = cells.first; cur_node; cur_node = cur_node->next)
{
memcpy(&cellinfo, cur_node->data, sizeof(cellinfo));
if (status = auth_to_cell(context,
cellinfo.cell, cellinfo.realm))
somethingswrong++;
}
/* Then, log to all paths in the paths list */
for (cur_node = paths.first; cur_node; cur_node = cur_node->next)
{
if (status = auth_to_path(context,
cur_node->data))
somethingswrong++;
}
/*
* If only one thing was logged to, we'll return the status
* of the single call. Otherwise, we'll return a generic
* something failed status.
*/
if (somethingswrong && ((cells.nelements + paths.nelements) > 1))
status = AKLOG_SOMETHINGSWRONG;
}
akexit(status);
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_creds(krb5_context context,
krb5_get_creds_opt opt,
krb5_ccache ccache,
krb5_const_principal inprinc,
krb5_creds **out_creds)
{
krb5_kdc_flags flags;
krb5_flags options;
krb5_creds in_creds;
krb5_error_code ret;
krb5_creds **tgts;
krb5_creds *res_creds;
int i;
if (opt && opt->enctype) {
ret = krb5_enctype_valid(context, opt->enctype);
if (ret)
return ret;
}
memset(&in_creds, 0, sizeof(in_creds));
in_creds.server = rk_UNCONST(inprinc);
ret = krb5_cc_get_principal(context, ccache, &in_creds.client);
if (ret)
return ret;
if (opt)
options = opt->options;
else
options = 0;
flags.i = 0;
*out_creds = NULL;
res_creds = calloc(1, sizeof(*res_creds));
if (res_creds == NULL) {
krb5_free_principal(context, in_creds.client);
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
if (opt && opt->enctype) {
in_creds.session.keytype = opt->enctype;
options |= KRB5_TC_MATCH_KEYTYPE;
}
/*
* If we got a credential, check if credential is expired before
* returning it.
*/
ret = krb5_cc_retrieve_cred(context,
ccache,
options & KRB5_TC_MATCH_KEYTYPE,
&in_creds, res_creds);
/*
* If we got a credential, check if credential is expired before
* returning it, but only if KRB5_GC_EXPIRED_OK is not set.
*/
if (ret == 0) {
krb5_timestamp timeret;
/* If expired ok, don't bother checking */
if(options & KRB5_GC_EXPIRED_OK) {
*out_creds = res_creds;
krb5_free_principal(context, in_creds.client);
goto out;
}
krb5_timeofday(context, &timeret);
if(res_creds->times.endtime > timeret) {
*out_creds = res_creds;
krb5_free_principal(context, in_creds.client);
goto out;
}
if(options & KRB5_GC_CACHED)
krb5_cc_remove_cred(context, ccache, 0, res_creds);
} else if(ret != KRB5_CC_END) {
free(res_creds);
krb5_free_principal(context, in_creds.client);
goto out;
}
free(res_creds);
if(options & KRB5_GC_CACHED) {
krb5_free_principal(context, in_creds.client);
ret = not_found(context, in_creds.server, KRB5_CC_NOTFOUND);
goto out;
}
if(options & KRB5_GC_USER_USER) {
flags.b.enc_tkt_in_skey = 1;
options |= KRB5_GC_NO_STORE;
}
if (options & KRB5_GC_FORWARDABLE)
flags.b.forwardable = 1;
if (options & KRB5_GC_NO_TRANSIT_CHECK)
flags.b.disable_transited_check = 1;
if (options & KRB5_GC_CONSTRAINED_DELEGATION) {
flags.b.request_anonymous = 1; /* XXX ARGH confusion */
flags.b.constrained_delegation = 1;
}
if (options & KRB5_GC_CANONICALIZE)
flags.b.canonicalize = 1;
tgts = NULL;
ret = _krb5_get_cred_kdc_any(context, flags, ccache,
&in_creds, opt->self, opt->ticket,
out_creds, &tgts);
krb5_free_principal(context, in_creds.client);
for(i = 0; tgts && tgts[i]; i++) {
krb5_cc_store_cred(context, ccache, tgts[i]);
krb5_free_creds(context, tgts[i]);
}
free(tgts);
if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
krb5_cc_store_cred(context, ccache, *out_creds);
out:
_krb5_debug(context, 5, "krb5_get_creds: ret = %d", ret);
return ret;
}
static krb5_error_code
get_pa_etype_info2(krb5_context context,
krb5_kdc_configuration *config,
METHOD_DATA *md, hdb_entry *client,
ENCTYPE *etypes, unsigned int etypes_len)
{
krb5_error_code ret = 0;
int i, j;
unsigned int n = 0;
ETYPE_INFO2 pa;
unsigned char *buf;
size_t len;
pa.len = client->keys.len;
if(pa.len > UINT_MAX/sizeof(*pa.val))
return ERANGE;
pa.val = malloc(pa.len * sizeof(*pa.val));
if(pa.val == NULL)
return ENOMEM;
memset(pa.val, 0, pa.len * sizeof(*pa.val));
for(i = 0; i < client->keys.len; i++) {
for (j = 0; j < n; j++)
if (pa.val[j].etype == client->keys.val[i].key.keytype)
goto skip1;
for(j = 0; j < etypes_len; j++) {
if(client->keys.val[i].key.keytype == etypes[j]) {
if (krb5_enctype_valid(context, etypes[j]) != 0)
continue;
if (n >= pa.len)
krb5_abortx(context, "internal error: n >= p.len");
if((ret = make_etype_info2_entry(&pa.val[n++],
&client->keys.val[i])) != 0) {
free_ETYPE_INFO2(&pa);
return ret;
}
break;
}
}
skip1:;
}
/* send enctypes that the client doesn't know about too */
for(i = 0; i < client->keys.len; i++) {
/* already added? */
for(j = 0; j < etypes_len; j++) {
if(client->keys.val[i].key.keytype == etypes[j])
goto skip2;
}
if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
continue;
if (n >= pa.len)
krb5_abortx(context, "internal error: n >= p.len");
if((ret = make_etype_info2_entry(&pa.val[n++],
&client->keys.val[i])) != 0) {
free_ETYPE_INFO2(&pa);
return ret;
}
skip2:;
}
if(n < pa.len) {
/* stripped out dups, and not valid enctypes */
pa.len = n;
}
ASN1_MALLOC_ENCODE(ETYPE_INFO2, buf, len, &pa, &len, ret);
free_ETYPE_INFO2(&pa);
if(ret)
return ret;
ret = realloc_method_data(md);
if(ret) {
free(buf);
return ret;
}
md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO2;
md->val[md->len - 1].padata_value.length = len;
md->val[md->len - 1].padata_value.data = buf;
return 0;
}
