Beispiel #1
0
static krb5_error_code
krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata,
                   krb5_key pkey, krb5_replay_data *replaydata,
                   krb5_creds ***pppcreds)
{
    krb5_error_code       retval = 0;
    krb5_cred           * pcred = NULL;
    krb5_int32            ncreds = 0;
    krb5_int32            i = 0;
    krb5_cred_enc_part    encpart;

    /* decode cred message */
    if ((retval = decode_krb5_cred(pcreddata, &pcred)))
        return retval;

    memset(&encpart, 0, sizeof(encpart));

    if ((retval = decrypt_credencdata(context, pcred, pkey, &encpart)))
        goto cleanup_cred;


    replaydata->timestamp = encpart.timestamp;
    replaydata->usec = encpart.usec;
    replaydata->seq = encpart.nonce;

    /*
     * Allocate the list of creds.  The memory is allocated so that
     * krb5_free_tgt_creds can be used to free the list.
     */
    for (ncreds = 0; pcred->tickets[ncreds]; ncreds++);

    if ((*pppcreds =
         (krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) *
                                        (ncreds + 1)))) == NULL) {
        retval = ENOMEM;
        goto cleanup_cred;
    }
    (*pppcreds)[0] = NULL;

    /*
     * For each credential, create a strcture in the list of
     * credentials and copy the information.
     */
    while (i < ncreds) {
        krb5_cred_info  * pinfo;
        krb5_creds      * pcur;
        krb5_data       * pdata;

        if ((pcur = (krb5_creds *)calloc(1, sizeof(krb5_creds))) == NULL) {
            retval = ENOMEM;
            goto cleanup;
        }

        (*pppcreds)[i] = pcur;
        (*pppcreds)[i+1] = 0;
        pinfo = encpart.ticket_info[i++];

        if ((retval = krb5_copy_principal(context, pinfo->client,
                                          &pcur->client)))
            goto cleanup;

        if ((retval = krb5_copy_principal(context, pinfo->server,
                                          &pcur->server)))
            goto cleanup;

        if ((retval = krb5_copy_keyblock_contents(context, pinfo->session,
                                                  &pcur->keyblock)))
            goto cleanup;

        if ((retval = krb5_copy_addresses(context, pinfo->caddrs,
                                          &pcur->addresses)))
            goto cleanup;

        if ((retval = encode_krb5_ticket(pcred->tickets[i - 1], &pdata)))
            goto cleanup;

        pcur->ticket = *pdata;
        free(pdata);


        pcur->is_skey = FALSE;
        pcur->magic = KV5M_CREDS;
        pcur->times = pinfo->times;
        pcur->ticket_flags = pinfo->flags;
        pcur->authdata = NULL;   /* not used */
        memset(&pcur->second_ticket, 0, sizeof(pcur->second_ticket));
    }

    /*
     * NULL terminate the list
     */
    (*pppcreds)[i] = NULL;

cleanup:
    if (retval) {
        krb5_free_tgt_creds(context, *pppcreds);
        *pppcreds = NULL;
    }

cleanup_cred:
    krb5_free_cred(context, pcred);
    krb5_free_cred_enc_part(context, &encpart);

    return retval;
}
Beispiel #2
0
static krb5_error_code
krb5_mk_ncred_basic(krb5_context context,
                    krb5_creds **ppcreds, krb5_int32 nppcreds,
                    krb5_key key, krb5_replay_data *replaydata,
                    krb5_address *local_addr, krb5_address *remote_addr,
                    krb5_cred *pcred)
{
    krb5_cred_enc_part    credenc;
    krb5_error_code       retval;
    size_t                size;
    int                   i;

    credenc.magic = KV5M_CRED_ENC_PART;

    credenc.s_address = 0;
    credenc.r_address = 0;
    if (local_addr) krb5_copy_addr(context, local_addr, &credenc.s_address);
    if (remote_addr) krb5_copy_addr(context, remote_addr, &credenc.r_address);

    credenc.nonce = replaydata->seq;
    credenc.usec = replaydata->usec;
    credenc.timestamp = replaydata->timestamp;

    /* Get memory for creds and initialize it */
    size = sizeof(krb5_cred_info *) * (nppcreds + 1);
    credenc.ticket_info = (krb5_cred_info **) calloc(1, size);
    if (credenc.ticket_info == NULL)
        return ENOMEM;

    /*
     * For each credential in the list, initialize a cred info
     * structure and copy the ticket into the ticket list.
     */
    for (i = 0; i < nppcreds; i++) {
        credenc.ticket_info[i] = calloc(1, sizeof(krb5_cred_info));
        if (credenc.ticket_info[i] == NULL) {
            retval = ENOMEM;
            goto cleanup;
        }
        credenc.ticket_info[i+1] = NULL;

        credenc.ticket_info[i]->magic = KV5M_CRED_INFO;
        credenc.ticket_info[i]->times = ppcreds[i]->times;
        credenc.ticket_info[i]->flags = ppcreds[i]->ticket_flags;

        if ((retval = decode_krb5_ticket(&ppcreds[i]->ticket,
                                         &pcred->tickets[i])))
            goto cleanup;

        if ((retval = krb5_copy_keyblock(context, &ppcreds[i]->keyblock,
                                         &credenc.ticket_info[i]->session)))
            goto cleanup;

        if ((retval = krb5_copy_principal(context, ppcreds[i]->client,
                                          &credenc.ticket_info[i]->client)))
            goto cleanup;

        if ((retval = krb5_copy_principal(context, ppcreds[i]->server,
                                          &credenc.ticket_info[i]->server)))
            goto cleanup;

        if ((retval = krb5_copy_addresses(context, ppcreds[i]->addresses,
                                          &credenc.ticket_info[i]->caddrs)))
            goto cleanup;
    }

    /*
     * NULL terminate the lists.
     */
    pcred->tickets[i] = NULL;

    /* encrypt the credential encrypted part */
    retval = encrypt_credencpart(context, &credenc, key, &pcred->enc_part);

cleanup:
    krb5_free_cred_enc_part(context, &credenc);
    return retval;
}
Beispiel #3
0
/* Validate a KRB-CRED message in creddata, and return a list of forwarded
 * credentials along with replay cache information. */
krb5_error_code KRB5_CALLCONV
krb5_rd_cred(krb5_context context, krb5_auth_context authcon,
             krb5_data *creddata, krb5_creds ***creds_out,
             krb5_replay_data *replaydata_out)
{
    krb5_error_code ret = 0;
    krb5_creds **credlist = NULL;
    krb5_cred *krbcred = NULL;
    krb5_cred_enc_part *encpart = NULL;
    krb5_replay_data rdata;
    const krb5_int32 flags = authcon->auth_context_flags;

    *creds_out = NULL;

    if (((flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
         (flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
        replaydata_out == NULL)
        return KRB5_RC_REQUIRED;

    ret = decode_krb5_cred(creddata, &krbcred);
    if (ret)
        goto cleanup;

    ret = decrypt_encpart(context, &krbcred->enc_part, authcon, &encpart);
    if (ret)
        goto cleanup;

    ret = make_cred_list(context, krbcred, encpart, &credlist);
    if (ret)
        goto cleanup;

    if (authcon->recv_subkey != NULL || authcon->key != NULL) {
        rdata.timestamp = encpart->timestamp;
        ret = k5_privsafe_check_replay(context, authcon, &rdata,
                                       &krbcred->enc_part, NULL);
        if (ret)
            goto cleanup;
    }

    if (flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
        if (authcon->remote_seq_number != (uint32_t)encpart->nonce) {
            ret = KRB5KRB_AP_ERR_BADORDER;
            goto cleanup;
        }
        authcon->remote_seq_number++;
    }

    *creds_out = credlist;
    credlist = NULL;
    if ((flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
        (flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
        replaydata_out->timestamp = encpart->timestamp;
        replaydata_out->usec = encpart->usec;
        replaydata_out->seq = encpart->nonce;
    }

cleanup:
    krb5_free_tgt_creds(context, credlist);
    krb5_free_cred(context, krbcred);
    krb5_free_cred_enc_part(context, encpart);
    free(encpart);              /* krb5_free_cred_enc_part doesn't do this */
    return ret;
}