static void
send_error(krb5_context context, krb5_creds *my_creds, int fd, char *err_text,
krb5_error_code err_code)
{
krb5_error error;
const char *text;
krb5_data outbuf;
memset(&error, 0, sizeof(error));
krb5_us_timeofday(context, &error.ctime, &error.cusec);
error.server = my_creds->server;
error.client = my_principal;
error.error = err_code - ERROR_TABLE_BASE_krb5;
if (error.error > 127)
error.error = KRB_ERR_GENERIC;
text = (err_text != NULL) ? err_text : error_message(err_code);
error.text.length = strlen(text) + 1;
error.text.data = strdup(text);
if (error.text.data) {
if (!krb5_mk_error(context, &error, &outbuf)) {
(void)krb5_write_message(context, &fd, &outbuf);
krb5_free_data_contents(context, &outbuf);
}
free(error.text.data);
}
}
static void
check_set_time(krb5_context context)
{
krb5_error_code ret;
krb5_timestamp sec;
int32_t usec;
struct timeval tv;
int diff = 10;
int diff2;
gettimeofday(&tv, NULL);
ret = krb5_set_real_time(context, tv.tv_sec + diff, tv.tv_usec);
if (ret)
krb5_err(context, 1, ret, "krb5_us_timeofday");
ret = krb5_us_timeofday(context, &sec, &usec);
if (ret)
krb5_err(context, 1, ret, "krb5_us_timeofday");
diff2 = abs(sec - tv.tv_sec);
if (diff2 < 9 || diff > 11)
krb5_errx(context, 1, "set time error: diff: %d",
abs(sec - tv.tv_sec));
}
static krb5_error_code
make_too_big_error (krb5_data **out)
{
krb5_error errpkt;
krb5_error_code retval;
krb5_data *scratch;
*out = NULL;
memset(&errpkt, 0, sizeof(errpkt));
retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
if (retval)
return retval;
errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
errpkt.server = tgs_server;
errpkt.client = NULL;
errpkt.text.length = 0;
errpkt.text.data = 0;
errpkt.e_data.length = 0;
errpkt.e_data.data = 0;
scratch = malloc(sizeof(*scratch));
if (scratch == NULL)
return ENOMEM;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
if (retval) {
free(scratch);
return retval;
}
*out = scratch;
return 0;
}
static krb5_error_code
prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
int error, krb5_pa_data **e_data, krb5_boolean typed_e_data,
krb5_principal canon_client, krb5_data **response,
const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
krb5_data *scratch = NULL, *e_data_asn1 = NULL, *fast_edata = NULL;
kdc_realm_t *kdc_active_realm = rstate->realm_data;
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
if (retval)
return retval;
errpkt.error = error;
errpkt.server = request->server;
errpkt.client = (error == KRB5KDC_ERR_WRONG_REALM) ? canon_client :
request->client;
errpkt.text = string2data((char *)status);
if (e_data != NULL) {
if (typed_e_data)
retval = encode_krb5_typed_data(e_data, &e_data_asn1);
else
retval = encode_krb5_padata_sequence(e_data, &e_data_asn1);
if (retval)
goto cleanup;
errpkt.e_data = *e_data_asn1;
} else
errpkt.e_data = empty_data();
retval = kdc_fast_handle_error(kdc_context, rstate, request, e_data,
&errpkt, &fast_edata);
if (retval)
goto cleanup;
if (fast_edata != NULL)
errpkt.e_data = *fast_edata;
scratch = k5alloc(sizeof(*scratch), &retval);
if (scratch == NULL)
goto cleanup;
if (kdc_fast_hide_client(rstate) && errpkt.client != NULL)
errpkt.client = (krb5_principal)krb5_anonymous_principal();
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
if (retval)
goto cleanup;
*response = scratch;
scratch = NULL;
cleanup:
krb5_free_data(kdc_context, fast_edata);
krb5_free_data(kdc_context, e_data_asn1);
free(scratch);
return retval;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_mk_error_ext(krb5_context context,
krb5_error_code error_code,
const char *e_text,
const krb5_data *e_data,
const krb5_principal server,
const PrincipalName *client_name,
const Realm *client_realm,
time_t *client_time,
int *client_usec,
krb5_data *reply)
{
const char *e_text2 = NULL;
KRB_ERROR msg;
krb5_timestamp sec;
int32_t usec;
size_t len = 0;
krb5_error_code ret = 0;
krb5_us_timeofday (context, &sec, &usec);
memset(&msg, 0, sizeof(msg));
msg.pvno = 5;
msg.msg_type = krb_error;
msg.stime = sec;
msg.susec = usec;
msg.ctime = client_time;
msg.cusec = client_usec;
/* Make sure we only send `protocol' error codes */
if(error_code < KRB5KDC_ERR_NONE || error_code >= KRB5_ERR_RCSID) {
if(e_text == NULL)
e_text = e_text2 = krb5_get_error_message(context, error_code);
error_code = KRB5KRB_ERR_GENERIC;
}
msg.error_code = error_code - KRB5KDC_ERR_NONE;
if (e_text)
msg.e_text = rk_UNCONST(&e_text);
if (e_data)
msg.e_data = rk_UNCONST(e_data);
if(server){
msg.realm = server->realm;
msg.sname = server->name;
}else{
static char unspec[] = "<unspecified realm>";
msg.realm = unspec;
}
msg.crealm = rk_UNCONST(client_realm);
msg.cname = rk_UNCONST(client_name);
ASN1_MALLOC_ENCODE(KRB_ERROR, reply->data, reply->length, &msg, &len, ret);
if (e_text2)
krb5_free_error_message(context, e_text2);
if (ret)
return ret;
if(reply->length != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
return 0;
}
static krb5_error_code
kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
struct _krb5_db_entry_new *client, krb5_data *req_pkt,
krb5_kdc_req *request, krb5_kdc_rep *reply,
struct _krb5_key_data *client_keys,
krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
preauth_get_entry_data_proc get_entry_proc,
void *pa_module_context, void **pa_request_context)
{
krb5_error_code retval = 0;
krb5_keyblock *challenge_key = *pa_request_context;
krb5_pa_enc_ts ts;
krb5_data *plain = NULL;
krb5_enc_data enc;
krb5_data *encoded = NULL;
krb5_pa_data *pa = NULL;
krb5int_access kaccess;
if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0)
return 0;
if (challenge_key == NULL)
return 0;
* pa_request_context = NULL; /*this function will free the
* challenge key*/
enc.ciphertext.data = NULL; /* In case of error pass through */
retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec);
if (retval == 0)
retval = kaccess.encode_enc_ts(&ts, &plain);
if (retval == 0)
retval = kaccess.encrypt_helper(context, challenge_key,
KRB5_KEYUSAGE_ENC_CHALLENGE_KDC,
plain, &enc);
if (retval == 0)
retval = kaccess.encode_enc_data(&enc, &encoded);
if (retval == 0) {
pa = calloc(1, sizeof(krb5_pa_data));
if (pa == NULL)
retval = ENOMEM;
}
if (retval == 0) {
pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE;
pa->contents = (unsigned char *) encoded->data;
pa->length = encoded->length;
encoded->data = NULL;
*send_pa = pa;
pa = NULL;
}
if (challenge_key)
krb5_free_keyblock(context, challenge_key);
if (encoded)
krb5_free_data(context, encoded);
if (plain)
krb5_free_data(context, plain);
if (enc.ciphertext.data)
krb5_free_data_contents(context, &enc.ciphertext);
return retval;
}
static krb5_error_code
generate_authenticator(krb5_context context, krb5_authenticator *authent,
krb5_principal client, krb5_checksum *cksum,
krb5_key key, krb5_ui_4 seq_number,
krb5_authdata **authorization,
krb5_authdata_context ad_context,
krb5_enctype *desired_etypes,
krb5_enctype tkt_enctype)
{
krb5_error_code retval;
krb5_authdata **ext_authdata = NULL;
authent->client = client;
authent->checksum = cksum;
if (key) {
retval = krb5_k_key_keyblock(context, key, &authent->subkey);
if (retval)
return retval;
} else
authent->subkey = 0;
authent->seq_number = seq_number;
authent->authorization_data = NULL;
if (ad_context != NULL) {
retval = krb5_authdata_export_authdata(context,
ad_context,
AD_USAGE_AP_REQ,
&ext_authdata);
if (retval)
return retval;
}
if (authorization != NULL || ext_authdata != NULL) {
retval = krb5_merge_authdata(context,
authorization,
ext_authdata,
&authent->authorization_data);
if (retval) {
krb5_free_authdata(context, ext_authdata);
return retval;
}
krb5_free_authdata(context, ext_authdata);
}
/* Only send EtypeList if we prefer another enctype to tkt_enctype */
if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) {
TRACE_MK_REQ_ETYPES(context, desired_etypes);
retval = make_etype_list(context, desired_etypes, tkt_enctype,
&authent->authorization_data);
if (retval)
return retval;
}
return(krb5_us_timeofday(context, &authent->ctime, &authent->cusec));
}
static krb5_error_code
make_pa_enc_timestamp(krb5_context context, METHOD_DATA *md,
krb5_enctype etype, krb5_keyblock *key)
{
PA_ENC_TS_ENC p;
unsigned char *buf;
size_t buf_size;
size_t len;
EncryptedData encdata;
krb5_error_code ret;
int32_t usec;
int usec2;
krb5_crypto crypto;
krb5_us_timeofday (context, &p.patimestamp, &usec);
usec2 = usec;
p.pausec = &usec2;
ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC, buf, buf_size, &p, &len, ret);
if (ret)
return ret;
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
free(buf);
return ret;
}
ret = krb5_encrypt_EncryptedData(context,
crypto,
KRB5_KU_PA_ENC_TIMESTAMP,
buf,
len,
0,
&encdata);
free(buf);
krb5_crypto_destroy(context, crypto);
if (ret)
return ret;
ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
free_EncryptedData(&encdata);
if (ret)
return ret;
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
ret = krb5_padata_add(context, md, KRB5_PADATA_ENC_TIMESTAMP, buf, len);
if (ret)
free(buf);
return ret;
}
/*
* This routine is the "obtain" function for the ENC_TIMESTAMP
* preauthentication type. It take the current time and encrypts it
* in the user's key.
*/
static krb5_error_code
obtain_enc_ts_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info etype_info, krb5_keyblock *def_enc_key, git_key_proc key_proc, krb5_const_pointer key_seed, krb5_creds *creds, krb5_kdc_req *request, krb5_pa_data **out_padata)
{
krb5_pa_enc_ts pa_enc;
krb5_error_code retval;
krb5_data * scratch;
krb5_enc_data enc_data;
krb5_pa_data * pa;
retval = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec);
if (retval)
return retval;
if ((retval = encode_krb5_pa_enc_ts(&pa_enc, &scratch)) != 0)
return retval;
enc_data.ciphertext.data = 0;
if ((retval = krb5_encrypt_helper(context, def_enc_key,
KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS,
scratch, &enc_data)))
goto cleanup;
krb5_free_data(context, scratch);
scratch = 0;
if ((retval = encode_krb5_enc_data(&enc_data, &scratch)) != 0)
goto cleanup;
if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) {
retval = ENOMEM;
goto cleanup;
}
pa->magic = KV5M_PA_DATA;
pa->pa_type = KRB5_PADATA_ENC_TIMESTAMP;
pa->length = scratch->length;
pa->contents = (krb5_octet *) scratch->data;
*out_padata = pa;
free(scratch);
scratch = 0;
retval = 0;
cleanup:
if (scratch)
krb5_free_data(context, scratch);
if (enc_data.ciphertext.data)
free(enc_data.ciphertext.data);
return retval;
}
static krb5_error_code
ec_return(krb5_context context, krb5_pa_data *padata, krb5_data *req_pkt,
krb5_kdc_req *request, krb5_kdc_rep *reply,
krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
{
krb5_error_code retval = 0;
krb5_keyblock *challenge_key = (krb5_keyblock *)modreq;
krb5_pa_enc_ts ts;
krb5_data *plain = NULL;
krb5_enc_data enc;
krb5_data *encoded = NULL;
krb5_pa_data *pa = NULL;
if (challenge_key == NULL)
return 0;
enc.ciphertext.data = NULL; /* In case of error pass through */
retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec);
if (retval == 0)
retval = encode_krb5_pa_enc_ts(&ts, &plain);
if (retval == 0)
retval = krb5_encrypt_helper(context, challenge_key,
KRB5_KEYUSAGE_ENC_CHALLENGE_KDC,
plain, &enc);
if (retval == 0)
retval = encode_krb5_enc_data(&enc, &encoded);
if (retval == 0) {
pa = calloc(1, sizeof(krb5_pa_data));
if (pa == NULL)
retval = ENOMEM;
}
if (retval == 0) {
pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE;
pa->contents = (unsigned char *) encoded->data;
pa->length = encoded->length;
encoded->data = NULL;
*send_pa = pa;
pa = NULL;
}
if (challenge_key)
krb5_free_keyblock(context, challenge_key);
if (encoded)
krb5_free_data(context, encoded);
if (plain)
krb5_free_data(context, plain);
if (enc.ciphertext.data)
krb5_free_data_contents(context, &enc.ciphertext);
return retval;
}
/*
* This function is not in the Heimdal mainline.
*/
krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds)
{
krb5_error_code ret;
int32_t sec, usec;
ret = krb5_us_timeofday(context, &sec, &usec);
if (ret)
return ret;
context->kdc_sec_offset = seconds - sec;
context->kdc_usec_offset = microseconds - usec;
return 0;
}
static krb5_error_code
prepare_error_tgs (struct kdc_request_state *state,
krb5_kdc_req *request, krb5_ticket *ticket, int error,
krb5_principal canon_server,
krb5_data **response, const char *status)
{
krb5_error errpkt;
krb5_error_code retval = 0;
krb5_data *scratch;
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
&errpkt.susec)))
return(retval);
errpkt.error = error;
errpkt.server = request->server;
if (ticket && ticket->enc_part2)
errpkt.client = ticket->enc_part2->client;
else
errpkt.client = NULL;
errpkt.text.length = strlen(status) + 1;
if (!(errpkt.text.data = strdup(status)))
return ENOMEM;
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
return ENOMEM;
}
errpkt.e_data.length = 0;
errpkt.e_data.data = NULL;
if (state)
retval = kdc_fast_handle_error(kdc_context, state, request, NULL, &errpkt);
if (retval) {
free(scratch);
free(errpkt.text.data);
return retval;
}
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
if (retval)
free(scratch);
else
*response = scratch;
return retval;
}
static krb5_error_code
get_preauth_time(krb5_context context, krb5_clpreauth_rock rock,
krb5_boolean allow_unauth_time, krb5_timestamp *time_out,
krb5_int32 *usec_out)
{
if (rock->pa_offset_state != NO_OFFSET &&
(allow_unauth_time || rock->pa_offset_state == AUTH_OFFSET) &&
(context->library_options & KRB5_LIBOPT_SYNC_KDCTIME)) {
/* Use the offset we got from the preauth-required error. */
return k5_time_with_offset(rock->pa_offset, rock->pa_offset_usec,
time_out, usec_out);
} else {
/* Use the time offset from the context, or no offset. */
return krb5_us_timeofday(context, time_out, usec_out);
}
}
static krb5_error_code
prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error,
const char *ident, krb5_data **response, const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
krb5_data *scratch;
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
&errpkt.susec)))
return(retval);
errpkt.error = error;
errpkt.server = request->server;
if (ticket && ticket->enc_part2)
errpkt.client = ticket->enc_part2->client;
else
errpkt.client = 0;
errpkt.text.length = strlen(status) + 1;
if (!(errpkt.text.data = malloc(errpkt.text.length)))
return ENOMEM;
(void) strcpy(errpkt.text.data, status);
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
return ENOMEM;
}
errpkt.e_data.length = 0;
errpkt.e_data.data = 0;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
if (retval)
free(scratch);
else
*response = scratch;
return retval;
}
krb5_error_code smb_krb5_mk_error(krb5_context context,
krb5_error_code error_code,
const krb5_principal server,
krb5_data *reply)
{
#ifdef HAVE_SHORT_KRB5_MK_ERROR_INTERFACE /* MIT */
/*
* The MIT interface is *terrible*.
* We have to construct this ourselves...
*/
krb5_error e;
memset(&e, 0, sizeof(e));
krb5_us_timeofday(context, &e.stime, &e.susec);
e.server = server;
#if defined(krb5_err_base)
e.error = error_code - krb5_err_base;
#elif defined(ERROR_TABLE_BASE_krb5)
e.error = error_code - ERROR_TABLE_BASE_krb5;
#else
e.error = error_code; /* Almost certainly wrong, but what can we do... ? */
#endif
return krb5_mk_error(context, &e, reply);
#else /* Heimdal. */
return krb5_mk_error(context,
error_code,
NULL,
NULL, /* e_data */
NULL,
server,
NULL,
NULL,
reply);
#endif
}
OM_uint32 GSSAPI_CALLCONV
_gsskrb5_set_sec_context_option
(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
krb5_context context;
OM_uint32 maj_stat;
GSSAPI_KRB5_INIT (&context);
if (value == GSS_C_NO_BUFFER) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) {
gsskrb5_ctx ctx;
int flag;
if (*context_handle == GSS_C_NO_CONTEXT) {
*minor_status = EINVAL;
return GSS_S_NO_CONTEXT;
}
maj_stat = get_bool(minor_status, value, &flag);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
ctx = (gsskrb5_ctx)*context_handle;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (flag)
ctx->more_flags |= COMPAT_OLD_DES3;
else
ctx->more_flags &= ~COMPAT_OLD_DES3;
ctx->more_flags |= COMPAT_OLD_DES3_SELECTED;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DNS_CANONICALIZE_X)) {
int flag;
maj_stat = get_bool(minor_status, value, &flag);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
krb5_set_dns_canonicalize_hostname(context, flag);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) {
char *str;
maj_stat = get_string(minor_status, value, &str);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
free(str);
return maj_stat;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
char *str;
maj_stat = get_string(minor_status, value, &str);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
if (str == NULL) {
*minor_status = 0;
return GSS_S_CALL_INACCESSIBLE_READ;
}
krb5_set_default_realm(context, str);
free(str);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_CCACHE_NAME_X)) {
char *str;
maj_stat = get_string(minor_status, value, &str);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
if (str == NULL) {
*minor_status = 0;
return GSS_S_CALL_INACCESSIBLE_READ;
}
*minor_status = krb5_cc_set_default_name(context, str);
free(str);
if (*minor_status)
return GSS_S_FAILURE;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_TIME_OFFSET_X)) {
OM_uint32 offset;
time_t t;
maj_stat = get_int32(minor_status, value, &offset);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
t = time(NULL) + offset;
krb5_set_real_time(context, t, 0);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_TIME_OFFSET_X)) {
krb5_timestamp sec;
int32_t usec;
time_t t;
t = time(NULL);
krb5_us_timeofday (context, &sec, &usec);
maj_stat = set_int32(minor_status, value, sec - t);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_PLUGIN_REGISTER_X)) {
struct gsskrb5_krb5_plugin c;
if (value->length != sizeof(c)) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
memcpy(&c, value->value, sizeof(c));
krb5_plugin_register(context, c.type, c.name, c.symbol);
*minor_status = 0;
return GSS_S_COMPLETE;
}
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_build_authenticator (krb5_context context,
krb5_auth_context auth_context,
krb5_enctype enctype,
krb5_creds *cred,
Checksum *cksum,
krb5_data *result,
krb5_key_usage usage)
{
Authenticator auth;
u_char *buf = NULL;
size_t buf_size;
size_t len = 0;
krb5_error_code ret;
krb5_crypto crypto;
memset(&auth, 0, sizeof(auth));
auth.authenticator_vno = 5;
copy_Realm(&cred->client->realm, &auth.crealm);
copy_PrincipalName(&cred->client->name, &auth.cname);
krb5_us_timeofday (context, &auth.ctime, &auth.cusec);
ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth.subkey);
if(ret)
goto fail;
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
if(auth_context->local_seqnumber == 0)
krb5_generate_seq_number (context,
&cred->session,
&auth_context->local_seqnumber);
ALLOC(auth.seq_number, 1);
if(auth.seq_number == NULL) {
ret = ENOMEM;
goto fail;
}
*auth.seq_number = auth_context->local_seqnumber;
} else
auth.seq_number = NULL;
auth.authorization_data = NULL;
if (cksum) {
ALLOC(auth.cksum, 1);
if (auth.cksum == NULL) {
ret = ENOMEM;
goto fail;
}
ret = copy_Checksum(cksum, auth.cksum);
if (ret)
goto fail;
if (auth.cksum->cksumtype == CKSUMTYPE_GSSAPI) {
/*
* This is not GSS-API specific, we only enable it for
* GSS for now
*/
ret = make_etypelist(context, &auth.authorization_data);
if (ret)
goto fail;
}
}
/* XXX - Copy more to auth_context? */
auth_context->authenticator->ctime = auth.ctime;
auth_context->authenticator->cusec = auth.cusec;
ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, &auth, &len, ret);
if (ret)
goto fail;
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
if (ret)
goto fail;
ret = krb5_encrypt (context,
crypto,
usage /* KRB5_KU_AP_REQ_AUTH */,
buf,
len,
result);
krb5_crypto_destroy(context, crypto);
if (ret)
goto fail;
fail:
free_Authenticator (&auth);
free (buf);
return ret;
}
static krb5_error_code
k5_mk_rep(krb5_context context, krb5_auth_context auth_context,
krb5_data *outbuf, int dce_style)
{
krb5_error_code retval;
krb5_ap_rep_enc_part repl;
krb5_ap_rep reply;
krb5_data * scratch;
krb5_data * toutbuf;
/* Make the reply */
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
(auth_context->local_seq_number == 0)) {
if ((retval = krb5_generate_seq_number(context,
&auth_context->key->keyblock,
&auth_context->local_seq_number)))
return(retval);
}
if (dce_style) {
krb5_us_timeofday(context, &repl.ctime, &repl.cusec);
} else {
repl.ctime = auth_context->authentp->ctime;
repl.cusec = auth_context->authentp->cusec;
}
if (dce_style)
repl.subkey = NULL;
else if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) {
assert(auth_context->negotiated_etype != ENCTYPE_NULL);
retval = k5_generate_and_save_subkey(context, auth_context,
&auth_context->key->keyblock,
auth_context->negotiated_etype);
if (retval)
return retval;
repl.subkey = &auth_context->send_subkey->keyblock;
} else
repl.subkey = auth_context->authentp->subkey;
if (dce_style)
repl.seq_number = auth_context->remote_seq_number;
else
repl.seq_number = auth_context->local_seq_number;
TRACE_MK_REP(context, repl.ctime, repl.cusec, repl.subkey,
repl.seq_number);
/* encode it before encrypting */
if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch)))
return retval;
if ((retval = k5_encrypt_keyhelper(context, auth_context->key,
KRB5_KEYUSAGE_AP_REP_ENCPART, scratch,
&reply.enc_part)))
goto cleanup_scratch;
if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) {
*outbuf = *toutbuf;
free(toutbuf);
}
memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
reply.enc_part.ciphertext.length = 0;
reply.enc_part.ciphertext.data = 0;
cleanup_scratch:
memset(scratch->data, 0, scratch->length);
krb5_free_data(context, scratch);
return retval;
}
/* Construct an AP-REQ message for a TGS request. */
static krb5_error_code
tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data,
krb5_creds *tgt, krb5_keyblock *subkey,
krb5_data **ap_req_asn1_out)
{
krb5_cksumtype cksumtype;
krb5_error_code ret;
krb5_checksum checksum;
krb5_authenticator authent;
krb5_ap_req ap_req;
krb5_data *authent_asn1 = NULL;
krb5_ticket *ticket = NULL;
krb5_enc_data authent_enc;
*ap_req_asn1_out = NULL;
memset(&checksum, 0, sizeof(checksum));
memset(&ap_req, 0, sizeof(ap_req));
memset(&authent_enc, 0, sizeof(authent_enc));
/* Determine the authenticator checksum type. */
switch (tgt->keyblock.enctype) {
case ENCTYPE_DES_CBC_CRC:
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_ARCFOUR_HMAC:
case ENCTYPE_ARCFOUR_HMAC_EXP:
cksumtype = context->kdc_req_sumtype;
break;
default:
ret = krb5int_c_mandatory_cksumtype(context, tgt->keyblock.enctype,
&cksumtype);
if (ret)
goto cleanup;
}
/* Generate checksum. */
ret = krb5_c_make_checksum(context, cksumtype, &tgt->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, checksum_data,
&checksum);
if (ret)
goto cleanup;
/* Construct, encode, and encrypt an authenticator. */
authent.subkey = subkey;
authent.seq_number = 0;
authent.checksum = &checksum;
authent.client = tgt->client;
authent.authorization_data = tgt->authdata;
ret = krb5_us_timeofday(context, &authent.ctime, &authent.cusec);
if (ret)
goto cleanup;
ret = encode_krb5_authenticator(&authent, &authent_asn1);
if (ret)
goto cleanup;
ret = krb5_encrypt_helper(context, &tgt->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AUTH, authent_asn1,
&authent_enc);
if (ret)
goto cleanup;
ret = decode_krb5_ticket(&tgt->ticket, &ticket);
if (ret)
goto cleanup;
/* Encode the AP-REQ. */
ap_req.authenticator = authent_enc;
ap_req.ticket = ticket;
ret = encode_krb5_ap_req(&ap_req, ap_req_asn1_out);
cleanup:
free(checksum.contents);
krb5_free_ticket(context, ticket);
krb5_free_data_contents(context, &authent_enc.ciphertext);
if (authent_asn1 != NULL)
zapfree(authent_asn1->data, authent_asn1->length);
free(authent_asn1);
return ret;
}
krb5_error_code KRB5_LIB_FUNCTION
krb5_get_forwarded_creds (krb5_context context,
krb5_auth_context auth_context,
krb5_ccache ccache,
krb5_flags flags,
const char *hostname,
krb5_creds *in_creds,
krb5_data *out_data)
{
krb5_error_code ret;
krb5_creds *out_creds;
krb5_addresses addrs, *paddrs;
KRB_CRED cred;
KrbCredInfo *krb_cred_info;
EncKrbCredPart enc_krb_cred_part;
size_t len;
unsigned char *buf;
size_t buf_size;
krb5_kdc_flags kdc_flags;
krb5_crypto crypto;
struct addrinfo *ai;
int save_errno;
krb5_creds *ticket;
char *realm;
if (in_creds->client && in_creds->client->realm)
realm = in_creds->client->realm;
else
realm = in_creds->server->realm;
addrs.len = 0;
addrs.val = NULL;
paddrs = &addrs;
/*
* If tickets are address-less, forward address-less tickets.
*/
ret = _krb5_get_krbtgt (context,
ccache,
realm,
&ticket);
if(ret == 0) {
if (ticket->addresses.len == 0)
paddrs = NULL;
krb5_free_creds (context, ticket);
}
if (paddrs != NULL) {
ret = getaddrinfo (hostname, NULL, NULL, &ai);
if (ret) {
save_errno = errno;
krb5_set_error_string(context, "resolving %s: %s",
hostname, gai_strerror(ret));
return krb5_eai_to_heim_errno(ret, save_errno);
}
ret = add_addrs (context, &addrs, ai);
freeaddrinfo (ai);
if (ret)
return ret;
}
kdc_flags.b = int2KDCOptions(flags);
ret = krb5_get_kdc_cred (context,
ccache,
kdc_flags,
paddrs,
NULL,
in_creds,
&out_creds);
krb5_free_addresses (context, &addrs);
if (ret) {
return ret;
}
memset (&cred, 0, sizeof(cred));
cred.pvno = 5;
cred.msg_type = krb_cred;
ALLOC_SEQ(&cred.tickets, 1);
if (cred.tickets.val == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "malloc: out of memory");
goto out2;
}
ret = decode_Ticket(out_creds->ticket.data,
out_creds->ticket.length,
cred.tickets.val, &len);
if (ret)
goto out3;
memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1);
if (enc_krb_cred_part.ticket_info.val == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "malloc: out of memory");
goto out4;
}
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
krb5_timestamp sec;
int32_t usec;
krb5_us_timeofday (context, &sec, &usec);
ALLOC(enc_krb_cred_part.timestamp, 1);
if (enc_krb_cred_part.timestamp == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "malloc: out of memory");
goto out4;
}
*enc_krb_cred_part.timestamp = sec;
ALLOC(enc_krb_cred_part.usec, 1);
if (enc_krb_cred_part.usec == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "malloc: out of memory");
goto out4;
}
*enc_krb_cred_part.usec = usec;
} else {
enc_krb_cred_part.timestamp = NULL;
enc_krb_cred_part.usec = NULL;
}
if (auth_context->local_address && auth_context->local_port) {
krb5_boolean noaddr;
krb5_const_realm realm;
realm = krb5_principal_get_realm(context, out_creds->server);
krb5_appdefault_boolean(context, NULL, realm, "no-addresses", paddrs == NULL,
&noaddr);
if (!noaddr) {
ret = krb5_make_addrport (context,
&enc_krb_cred_part.s_address,
auth_context->local_address,
auth_context->local_port);
if (ret)
goto out4;
}
}
if (auth_context->remote_address) {
if (auth_context->remote_port) {
krb5_boolean noaddr;
krb5_const_realm realm;
realm = krb5_principal_get_realm(context, out_creds->server);
/* Is this correct, and should we use the paddrs == NULL
trick here as well? Having an address-less ticket may
indicate that we don't know our own global address, but
it does not necessary mean that we don't know the
server's. */
krb5_appdefault_boolean(context, NULL, realm, "no-addresses",
FALSE, &noaddr);
if (!noaddr) {
ret = krb5_make_addrport (context,
&enc_krb_cred_part.r_address,
auth_context->remote_address,
auth_context->remote_port);
if (ret)
goto out4;
}
} else {
ALLOC(enc_krb_cred_part.r_address, 1);
if (enc_krb_cred_part.r_address == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "malloc: out of memory");
goto out4;
}
ret = krb5_copy_address (context, auth_context->remote_address,
enc_krb_cred_part.r_address);
if (ret)
goto out4;
}
}
/* fill ticket_info.val[0] */
enc_krb_cred_part.ticket_info.len = 1;
krb_cred_info = enc_krb_cred_part.ticket_info.val;
copy_EncryptionKey (&out_creds->session, &krb_cred_info->key);
ALLOC(krb_cred_info->prealm, 1);
copy_Realm (&out_creds->client->realm, krb_cred_info->prealm);
ALLOC(krb_cred_info->pname, 1);
copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname);
ALLOC(krb_cred_info->flags, 1);
*krb_cred_info->flags = out_creds->flags.b;
ALLOC(krb_cred_info->authtime, 1);
*krb_cred_info->authtime = out_creds->times.authtime;
ALLOC(krb_cred_info->starttime, 1);
*krb_cred_info->starttime = out_creds->times.starttime;
ALLOC(krb_cred_info->endtime, 1);
*krb_cred_info->endtime = out_creds->times.endtime;
ALLOC(krb_cred_info->renew_till, 1);
*krb_cred_info->renew_till = out_creds->times.renew_till;
ALLOC(krb_cred_info->srealm, 1);
copy_Realm (&out_creds->server->realm, krb_cred_info->srealm);
ALLOC(krb_cred_info->sname, 1);
copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname);
ALLOC(krb_cred_info->caddr, 1);
copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr);
krb5_free_creds (context, out_creds);
/* encode EncKrbCredPart */
ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size,
&enc_krb_cred_part, &len, ret);
free_EncKrbCredPart (&enc_krb_cred_part);
if (ret) {
free_KRB_CRED(&cred);
return ret;
}
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
cred.enc_part.etype = ENCTYPE_NULL;
cred.enc_part.kvno = NULL;
cred.enc_part.cipher.data = buf;
cred.enc_part.cipher.length = buf_size;
} else {
krb5_keyblock *key;
if (auth_context->local_subkey)
key = auth_context->local_subkey;
else if (auth_context->remote_subkey)
key = auth_context->remote_subkey;
else
key = auth_context->keyblock;
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
free(buf);
free_KRB_CRED(&cred);
return ret;
}
ret = krb5_encrypt_EncryptedData (context,
crypto,
KRB5_KU_KRB_CRED,
buf,
len,
0,
&cred.enc_part);
free(buf);
krb5_crypto_destroy(context, crypto);
if (ret) {
free_KRB_CRED(&cred);
return ret;
}
}
ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret);
free_KRB_CRED (&cred);
if (ret)
return ret;
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
out_data->length = len;
out_data->data = buf;
return 0;
out4:
free_EncKrbCredPart(&enc_krb_cred_part);
out3:
free_KRB_CRED(&cred);
out2:
krb5_free_creds (context, out_creds);
return ret;
}
/*
Sends a request to the TGS and waits for a response.
options is used for the options in the KRB_TGS_REQ.
timestruct values are used for from, till, rtime " " "
enctype is used for enctype " " ", and to encrypt the authorization data,
sname is used for sname " " "
addrs, if non-NULL, is used for addresses " " "
authorization_dat, if non-NULL, is used for authorization_dat " " "
second_ticket, if required by options, is used for the 2nd ticket in the req.
in_cred is used for the ticket & session key in the KRB_AP_REQ header " " "
(the KDC realm is extracted from in_cred->server's realm)
The response is placed into *rep.
rep->response.data is set to point at allocated storage which should be
freed by the caller when finished.
returns system errors
*/
static krb5_error_code
krb5_send_tgs_basic(krb5_context context, krb5_data *in_data, krb5_creds *in_cred, krb5_data *outbuf)
{
krb5_error_code retval;
krb5_checksum checksum;
krb5_authenticator authent;
krb5_ap_req request;
krb5_data * scratch;
krb5_data * toutbuf;
/* Generate checksum */
if ((retval = krb5_c_make_checksum(context, context->kdc_req_sumtype,
&in_cred->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM,
in_data, &checksum))) {
free(checksum.contents);
return(retval);
}
/* gen authenticator */
authent.subkey = 0;
authent.seq_number = 0;
authent.checksum = &checksum;
authent.client = in_cred->client;
authent.authorization_data = in_cred->authdata;
if ((retval = krb5_us_timeofday(context, &authent.ctime,
&authent.cusec))) {
free(checksum.contents);
return(retval);
}
/* encode the authenticator */
if ((retval = encode_krb5_authenticator(&authent, &scratch))) {
free(checksum.contents);
return(retval);
}
free(checksum.contents);
request.authenticator.ciphertext.data = 0;
request.authenticator.kvno = 0;
request.ap_options = 0;
request.ticket = 0;
if ((retval = decode_krb5_ticket(&(in_cred)->ticket, &request.ticket)))
/* Cleanup scratch and scratch data */
goto cleanup_data;
/* call the encryption routine */
if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock,
KRB5_KEYUSAGE_TGS_REQ_AUTH,
scratch, &request.authenticator)))
goto cleanup_ticket;
retval = encode_krb5_ap_req(&request, &toutbuf);
/* Solaris Kerberos */
if (retval == 0) {
*outbuf = *toutbuf;
krb5_xfree(toutbuf);
}
memset(request.authenticator.ciphertext.data, 0,
request.authenticator.ciphertext.length);
free(request.authenticator.ciphertext.data);
cleanup_ticket:
krb5_free_ticket(context, request.ticket);
cleanup_data:
memset(scratch->data, 0, scratch->length);
free(scratch->data);
free(scratch);
return retval;
}
static krb5_error_code
process_preauth(krb5_context context, void *plugin_context,
void *request_context, krb5_get_init_creds_opt *opt,
preauth_get_client_data_proc get_data_proc,
struct _krb5_preauth_client_rock *rock, krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request, krb5_pa_data *padata,
krb5_prompter_fct prompter, void *prompter_data,
preauth_get_as_key_proc gak_fct, void *gak_data,
krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key,
krb5_pa_data ***out_padata)
{
krb5_error_code retval = 0;
krb5_enctype enctype = 0;
krb5_keyblock *challenge_key = NULL, *armor_key = NULL;
krb5_data *etype_data = NULL;
krb5int_access kaccess;
if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0)
return 0;
retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key);
if (retval || armor_key == NULL)
return 0;
retval = get_data_proc(context, rock, krb5plugin_preauth_client_get_etype, &etype_data);
if (retval == 0) {
enctype = *((krb5_enctype *)etype_data->data);
if (as_key->length == 0 ||as_key->enctype != enctype)
retval = gak_fct(context, request->client,
enctype, prompter, prompter_data,
salt, s2kparams,
as_key, gak_data);
}
if (retval == 0 && padata->length) {
krb5_enc_data *enc = NULL;
krb5_data scratch;
scratch.length = padata->length;
scratch.data = (char *) padata->contents;
retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor",
as_key, "challengelongterm",
&challenge_key);
if (retval == 0)
retval =kaccess.decode_enc_data(&scratch, &enc);
scratch.data = NULL;
if (retval == 0) {
scratch.data = malloc(enc->ciphertext.length);
scratch.length = enc->ciphertext.length;
if (scratch.data == NULL)
retval = ENOMEM;
}
if (retval == 0)
retval = krb5_c_decrypt(context, challenge_key,
KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL,
enc, &scratch);
/*
* Per draft 11 of the preauth framework, the client MAY but is not
* required to actually check the timestamp from the KDC other than to
* confirm it decrypts. This code does not perform that check.
*/
if (scratch.data)
krb5_free_data_contents(context, &scratch);
if (retval == 0)
fast_set_kdc_verified(context, get_data_proc, rock);
if (enc)
kaccess.free_enc_data(context, enc);
} else if (retval == 0) { /*No padata; we send*/
krb5_enc_data enc;
krb5_pa_data *pa = NULL;
krb5_pa_data **pa_array = NULL;
krb5_data *encoded_ts = NULL;
krb5_pa_enc_ts ts;
enc.ciphertext.data = NULL;
retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec);
if (retval == 0)
retval = kaccess.encode_enc_ts(&ts, &encoded_ts);
if (retval == 0)
retval = krb5_c_fx_cf2_simple(context,
armor_key, "clientchallengearmor",
as_key, "challengelongterm",
&challenge_key);
if (retval == 0)
retval = kaccess.encrypt_helper(context, challenge_key,
KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT,
encoded_ts, &enc);
if (encoded_ts)
krb5_free_data(context, encoded_ts);
encoded_ts = NULL;
if (retval == 0) {
retval = kaccess.encode_enc_data(&enc, &encoded_ts);
krb5_free_data_contents(context, &enc.ciphertext);
}
if (retval == 0) {
pa = calloc(1, sizeof(krb5_pa_data));
if (pa == NULL)
retval = ENOMEM;
}
if (retval == 0) {
pa_array = calloc(2, sizeof(krb5_pa_data *));
if (pa_array == NULL)
retval = ENOMEM;
}
if (retval == 0) {
pa->length = encoded_ts->length;
pa->contents = (unsigned char *) encoded_ts->data;
pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE;
free(encoded_ts);
encoded_ts = NULL;
pa_array[0] = pa;
pa = NULL;
*out_padata = pa_array;
pa_array = NULL;
}
if (pa)
free(pa);
if (encoded_ts)
krb5_free_data(context, encoded_ts);
if (pa_array)
free(pa_array);
}
if (challenge_key)
krb5_free_keyblock(context, challenge_key);
if (armor_key)
krb5_free_keyblock(context, armor_key);
if (etype_data != NULL)
get_data_proc(context, rock, krb5plugin_preauth_client_free_etype,
&etype_data);
return retval;
}
/*
* This functions takes as input an array of krb5_credentials, and
* outputs an encoded KRB_CRED message suitable for krb5_rd_cred
*/
krb5_error_code KRB5_CALLCONV
krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context,
krb5_creds **ppcreds, krb5_data **ppdata,
krb5_replay_data *outdata)
{
krb5_address * premote_fulladdr = NULL;
krb5_address * plocal_fulladdr = NULL;
krb5_address remote_fulladdr;
krb5_address local_fulladdr;
krb5_error_code retval;
krb5_key key;
krb5_replay_data replaydata;
krb5_cred * pcred;
krb5_int32 ncred;
krb5_boolean increased_sequence = FALSE;
local_fulladdr.contents = 0;
remote_fulladdr.contents = 0;
memset(&replaydata, 0, sizeof(krb5_replay_data));
if (ppcreds == NULL)
return KRB5KRB_AP_ERR_BADADDR;
/*
* Allocate memory for a NULL terminated list of tickets.
*/
for (ncred = 0; ppcreds[ncred]; ncred++)
;
if ((pcred = (krb5_cred *)calloc(1, sizeof(krb5_cred))) == NULL)
return ENOMEM;
if ((pcred->tickets
= (krb5_ticket **)calloc((size_t)ncred+1,
sizeof(krb5_ticket *))) == NULL) {
retval = ENOMEM;
goto error;
}
/* Get keyblock */
if ((key = auth_context->send_subkey) == NULL)
key = auth_context->key;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
(auth_context->rcache == NULL)) {
retval = KRB5_RC_REQUIRED;
goto error;
}
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE))
&& (outdata == NULL)) {
/* Need a better error */
retval = KRB5_RC_REQUIRED;
goto error;
}
if ((retval = krb5_us_timeofday(context, &replaydata.timestamp,
&replaydata.usec)))
goto error;
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) {
outdata->timestamp = replaydata.timestamp;
outdata->usec = replaydata.usec;
}
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
replaydata.seq = auth_context->local_seq_number++;
increased_sequence = TRUE;
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
outdata->seq = replaydata.seq;
}
if (auth_context->local_addr) {
if (auth_context->local_port) {
if ((retval = krb5_make_fulladdr(context, auth_context->local_addr,
auth_context->local_port,
&local_fulladdr)))
goto error;
plocal_fulladdr = &local_fulladdr;
} else {
plocal_fulladdr = auth_context->local_addr;
}
}
if (auth_context->remote_addr) {
if (auth_context->remote_port) {
if ((retval = krb5_make_fulladdr(context,auth_context->remote_addr,
auth_context->remote_port,
&remote_fulladdr)))
goto error;
premote_fulladdr = &remote_fulladdr;
} else {
premote_fulladdr = auth_context->remote_addr;
}
}
/* Setup creds structure */
if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, key,
&replaydata, plocal_fulladdr,
premote_fulladdr, pcred))) {
goto error;
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
krb5_donot_replay replay;
if ((retval = krb5_gen_replay_name(context, auth_context->local_addr,
"_forw", &replay.client)))
goto error;
replay.server = ""; /* XXX */
replay.msghash = NULL;
replay.cusec = replaydata.usec;
replay.ctime = replaydata.timestamp;
if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
/* should we really error out here? XXX */
free(replay.client);
goto error;
}
free(replay.client);
}
/* Encode creds structure */
retval = encode_krb5_cred(pcred, ppdata);
error:
free(local_fulladdr.contents);
free(remote_fulladdr.contents);
krb5_free_cred(context, pcred);
if (retval) {
if (increased_sequence)
auth_context->local_seq_number--;
}
return retval;
}
static krb5_error_code
encts_process(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock,
krb5_kdc_req *request, krb5_data *encoded_request_body,
krb5_data *encoded_previous_request, krb5_pa_data *padata,
krb5_prompter_fct prompter, void *prompter_data,
krb5_pa_data ***out_padata)
{
krb5_error_code ret;
krb5_pa_enc_ts pa_enc;
krb5_data *ts = NULL, *enc_ts = NULL;
krb5_enc_data enc_data;
krb5_pa_data **pa = NULL;
krb5_keyblock *as_key;
enc_data.ciphertext = empty_data();
ret = cb->get_as_key(context, rock, &as_key);
if (ret)
goto cleanup;
TRACE_PREAUTH_ENC_TS_KEY_GAK(context, as_key);
/* now get the time of day, and encrypt it accordingly */
ret = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec);
if (ret)
goto cleanup;
ret = encode_krb5_pa_enc_ts(&pa_enc, &ts);
if (ret)
goto cleanup;
ret = krb5_encrypt_helper(context, as_key, KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS,
ts, &enc_data);
if (ret)
goto cleanup;
TRACE_PREAUTH_ENC_TS(context, pa_enc.patimestamp, pa_enc.pausec,
ts, &enc_data.ciphertext);
ret = encode_krb5_enc_data(&enc_data, &enc_ts);
if (ret)
goto cleanup;
pa = k5alloc(2 * sizeof(krb5_pa_data *), &ret);
if (pa == NULL)
goto cleanup;
pa[0] = k5alloc(sizeof(krb5_pa_data), &ret);
if (pa[0] == NULL)
goto cleanup;
pa[0]->magic = KV5M_PA_DATA;
pa[0]->pa_type = KRB5_PADATA_ENC_TIMESTAMP;
pa[0]->length = enc_ts->length;
pa[0]->contents = (krb5_octet *) enc_ts->data;
enc_ts->data = NULL;
pa[1] = NULL;
*out_padata = pa;
pa = NULL;
cleanup:
krb5_free_data(context, ts);
krb5_free_data(context, enc_ts);
free(enc_data.ciphertext.data);
free(pa);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_forwarded_creds (krb5_context context,
krb5_auth_context auth_context,
krb5_ccache ccache,
krb5_flags flags,
const char *hostname,
krb5_creds *in_creds,
krb5_data *out_data)
{
krb5_error_code ret;
krb5_creds *out_creds;
krb5_addresses addrs, *paddrs;
KRB_CRED cred;
KrbCredInfo *krb_cred_info;
EncKrbCredPart enc_krb_cred_part;
size_t len;
unsigned char *buf;
size_t buf_size;
krb5_kdc_flags kdc_flags;
krb5_crypto crypto;
struct addrinfo *ai;
krb5_creds *ticket;
paddrs = NULL;
addrs.len = 0;
addrs.val = NULL;
ret = krb5_get_credentials(context, 0, ccache, in_creds, &ticket);
if(ret == 0) {
if (ticket->addresses.len)
paddrs = &addrs;
krb5_free_creds (context, ticket);
} else {
krb5_boolean noaddr;
krb5_appdefault_boolean(context, NULL,
krb5_principal_get_realm(context,
in_creds->client),
"no-addresses", KRB5_ADDRESSLESS_DEFAULT,
&noaddr);
if (!noaddr)
paddrs = &addrs;
}
/*
* If tickets have addresses, get the address of the remote host.
*/
if (paddrs != NULL) {
ret = getaddrinfo (hostname, NULL, NULL, &ai);
if (ret) {
krb5_error_code ret2 = krb5_eai_to_heim_errno(ret, errno);
krb5_set_error_message(context, ret2,
N_("resolving host %s failed: %s",
"hostname, error"),
hostname, gai_strerror(ret));
return ret2;
}
ret = add_addrs (context, &addrs, ai);
freeaddrinfo (ai);
if (ret)
return ret;
}
kdc_flags.b = int2KDCOptions(flags);
ret = krb5_get_kdc_cred (context,
ccache,
kdc_flags,
paddrs,
NULL,
in_creds,
&out_creds);
krb5_free_addresses (context, &addrs);
if (ret)
return ret;
memset (&cred, 0, sizeof(cred));
cred.pvno = 5;
cred.msg_type = krb_cred;
ALLOC_SEQ(&cred.tickets, 1);
if (cred.tickets.val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out2;
}
ret = decode_Ticket(out_creds->ticket.data,
out_creds->ticket.length,
cred.tickets.val, &len);
if (ret)
goto out3;
memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1);
if (enc_krb_cred_part.ticket_info.val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out4;
}
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
krb5_timestamp sec;
int32_t usec;
krb5_us_timeofday (context, &sec, &usec);
ALLOC(enc_krb_cred_part.timestamp, 1);
if (enc_krb_cred_part.timestamp == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out4;
}
*enc_krb_cred_part.timestamp = sec;
ALLOC(enc_krb_cred_part.usec, 1);
if (enc_krb_cred_part.usec == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out4;
}
*enc_krb_cred_part.usec = usec;
} else {
enc_krb_cred_part.timestamp = NULL;
enc_krb_cred_part.usec = NULL;
}
if (auth_context->local_address && auth_context->local_port && paddrs) {
ret = krb5_make_addrport (context,
&enc_krb_cred_part.s_address,
auth_context->local_address,
auth_context->local_port);
if (ret)
goto out4;
}
if (auth_context->remote_address) {
if (auth_context->remote_port) {
krb5_boolean noaddr;
krb5_const_realm srealm;
srealm = krb5_principal_get_realm(context, out_creds->server);
/* Is this correct, and should we use the paddrs == NULL
trick here as well? Having an address-less ticket may
indicate that we don't know our own global address, but
it does not necessary mean that we don't know the
server's. */
krb5_appdefault_boolean(context, NULL, srealm, "no-addresses",
FALSE, &noaddr);
if (!noaddr) {
ret = krb5_make_addrport (context,
&enc_krb_cred_part.r_address,
auth_context->remote_address,
auth_context->remote_port);
if (ret)
goto out4;
}
} else {
ALLOC(enc_krb_cred_part.r_address, 1);
if (enc_krb_cred_part.r_address == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out4;
}
ret = krb5_copy_address (context, auth_context->remote_address,
enc_krb_cred_part.r_address);
if (ret)
goto out4;
}
}
/* fill ticket_info.val[0] */
enc_krb_cred_part.ticket_info.len = 1;
krb_cred_info = enc_krb_cred_part.ticket_info.val;
copy_EncryptionKey (&out_creds->session, &krb_cred_info->key);
ALLOC(krb_cred_info->prealm, 1);
copy_Realm (&out_creds->client->realm, krb_cred_info->prealm);
ALLOC(krb_cred_info->pname, 1);
copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname);
ALLOC(krb_cred_info->flags, 1);
*krb_cred_info->flags = out_creds->flags.b;
ALLOC(krb_cred_info->authtime, 1);
*krb_cred_info->authtime = out_creds->times.authtime;
ALLOC(krb_cred_info->starttime, 1);
*krb_cred_info->starttime = out_creds->times.starttime;
ALLOC(krb_cred_info->endtime, 1);
*krb_cred_info->endtime = out_creds->times.endtime;
ALLOC(krb_cred_info->renew_till, 1);
*krb_cred_info->renew_till = out_creds->times.renew_till;
ALLOC(krb_cred_info->srealm, 1);
copy_Realm (&out_creds->server->realm, krb_cred_info->srealm);
ALLOC(krb_cred_info->sname, 1);
copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname);
ALLOC(krb_cred_info->caddr, 1);
copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr);
krb5_free_creds (context, out_creds);
/* encode EncKrbCredPart */
ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size,
&enc_krb_cred_part, &len, ret);
free_EncKrbCredPart (&enc_krb_cred_part);
if (ret) {
free_KRB_CRED(&cred);
return ret;
}
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
/**
* Some older of the MIT gssapi library used clear-text tickets
* (warped inside AP-REQ encryption), use the krb5_auth_context
* flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those
* tickets. The session key is used otherwise to encrypt the
* forwarded ticket.
*/
if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
cred.enc_part.etype = KRB5_ENCTYPE_NULL;
cred.enc_part.kvno = NULL;
cred.enc_part.cipher.data = buf;
cred.enc_part.cipher.length = buf_size;
} else {
/*
* Here older versions then 0.7.2 of Heimdal used the local or
* remote subkey. That is wrong, the session key should be
* used. Heimdal 0.7.2 and newer have code to try both in the
* receiving end.
*/
ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret) {
free(buf);
free_KRB_CRED(&cred);
return ret;
}
ret = krb5_encrypt_EncryptedData (context,
crypto,
KRB5_KU_KRB_CRED,
buf,
len,
0,
&cred.enc_part);
free(buf);
krb5_crypto_destroy(context, crypto);
if (ret) {
free_KRB_CRED(&cred);
return ret;
}
}
ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret);
free_KRB_CRED (&cred);
if (ret)
return ret;
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
out_data->length = len;
out_data->data = buf;
return 0;
out4:
free_EncKrbCredPart(&enc_krb_cred_part);
out3:
free_KRB_CRED(&cred);
out2:
krb5_free_creds (context, out_creds);
return ret;
}
static krb5_error_code
prepare_error_tgs (struct kdc_request_state *state,
krb5_kdc_req *request, krb5_ticket *ticket, int error,
krb5_principal canon_server,
krb5_data **response, const char *status,
krb5_pa_data **e_data)
{
krb5_error errpkt;
krb5_error_code retval = 0;
krb5_data *scratch, *e_data_asn1 = NULL, *fast_edata = NULL;
errpkt.ctime = request->nonce;
errpkt.cusec = 0;
if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
&errpkt.susec)))
return(retval);
errpkt.error = error;
errpkt.server = request->server;
if (ticket && ticket->enc_part2)
errpkt.client = ticket->enc_part2->client;
else
errpkt.client = NULL;
errpkt.text.length = strlen(status);
if (!(errpkt.text.data = strdup(status)))
return ENOMEM;
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
free(errpkt.text.data);
return ENOMEM;
}
if (e_data != NULL) {
retval = encode_krb5_padata_sequence(e_data, &e_data_asn1);
if (retval) {
free(scratch);
free(errpkt.text.data);
return retval;
}
errpkt.e_data = *e_data_asn1;
} else
errpkt.e_data = empty_data();
if (state) {
retval = kdc_fast_handle_error(kdc_context, state, request, e_data,
&errpkt, &fast_edata);
}
if (retval) {
free(scratch);
free(errpkt.text.data);
krb5_free_data(kdc_context, e_data_asn1);
return retval;
}
if (fast_edata)
errpkt.e_data = *fast_edata;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
krb5_free_data(kdc_context, e_data_asn1);
krb5_free_data(kdc_context, fast_edata);
if (retval)
free(scratch);
else
*response = scratch;
return retval;
}
krb5_error_code KRB5_CALLCONV
krb5_mk_safe(krb5_context context, krb5_auth_context auth_context,
const krb5_data *userdata, krb5_data *outbuf,
krb5_replay_data *outdata)
{
krb5_error_code retval;
krb5_key key;
krb5_replay_data replaydata;
/* Clear replaydata block */
memset(&replaydata, 0, sizeof(krb5_replay_data));
/* Get key */
if ((key = auth_context->send_subkey) == NULL)
key = auth_context->key;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
(auth_context->rcache == NULL))
return KRB5_RC_REQUIRED;
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
(outdata == NULL))
/* Need a better error */
return KRB5_RC_REQUIRED;
if (!auth_context->local_addr)
return KRB5_LOCAL_ADDR_REQUIRED;
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) {
if ((retval = krb5_us_timeofday(context, &replaydata.timestamp,
&replaydata.usec)))
return retval;
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) {
outdata->timestamp = replaydata.timestamp;
outdata->usec = replaydata.usec;
}
}
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
replaydata.seq = auth_context->local_seq_number++;
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
outdata->seq = replaydata.seq;
}
{
krb5_address * premote_fulladdr = NULL;
krb5_address * plocal_fulladdr;
krb5_address remote_fulladdr;
krb5_address local_fulladdr;
krb5_cksumtype sumtype;
CLEANUP_INIT(2);
if (auth_context->local_port) {
if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr,
auth_context->local_port,
&local_fulladdr))){
CLEANUP_PUSH(local_fulladdr.contents, free);
plocal_fulladdr = &local_fulladdr;
} else {
goto error;
}
} else {
plocal_fulladdr = auth_context->local_addr;
}
if (auth_context->remote_addr) {
if (auth_context->remote_port) {
if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr,
auth_context->remote_port,
&remote_fulladdr))){
CLEANUP_PUSH(remote_fulladdr.contents, free);
premote_fulladdr = &remote_fulladdr;
} else {
CLEANUP_DONE();
goto error;
}
} else {
premote_fulladdr = auth_context->remote_addr;
}
}
{
krb5_enctype enctype = krb5_k_key_enctype(context, key);
unsigned int nsumtypes;
unsigned int i;
krb5_cksumtype *sumtypes;
retval = krb5_c_keyed_checksum_types (context, enctype,
&nsumtypes, &sumtypes);
if (retval) {
CLEANUP_DONE ();
goto error;
}
if (nsumtypes == 0) {
retval = KRB5_BAD_ENCTYPE;
krb5_free_cksumtypes (context, sumtypes);
CLEANUP_DONE ();
goto error;
}
for (i = 0; i < nsumtypes; i++)
if (auth_context->safe_cksumtype == sumtypes[i])
break;
krb5_free_cksumtypes (context, sumtypes);
if (i < nsumtypes)
sumtype = auth_context->safe_cksumtype;
else {
switch (enctype) {
case ENCTYPE_DES_CBC_MD4:
sumtype = CKSUMTYPE_RSA_MD4_DES;
break;
case ENCTYPE_DES_CBC_MD5:
case ENCTYPE_DES_CBC_CRC:
sumtype = CKSUMTYPE_RSA_MD5_DES;
break;
default:
retval = krb5int_c_mandatory_cksumtype(context, enctype,
&sumtype);
if (retval) {
CLEANUP_DONE();
goto error;
}
break;
}
}
}
if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata,
plocal_fulladdr, premote_fulladdr,
sumtype, outbuf))) {
CLEANUP_DONE();
goto error;
}
CLEANUP_DONE();
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
krb5_donot_replay replay;
if ((retval = krb5_gen_replay_name(context, auth_context->local_addr,
"_safe", &replay.client))) {
free(outbuf);
goto error;
}
replay.server = ""; /* XXX */
replay.msghash = NULL;
replay.cusec = replaydata.usec;
replay.ctime = replaydata.timestamp;
if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
/* should we really error out here? XXX */
free(outbuf);
goto error;
}
free(replay.client);
}
return 0;
error:
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE))
auth_context->local_seq_number--;
return retval;
}
static krb5_error_code
encts_process(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock,
krb5_kdc_req *request, krb5_data *encoded_request_body,
krb5_data *encoded_previous_request, krb5_pa_data *padata,
krb5_prompter_fct prompter, void *prompter_data,
krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data,
krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key,
krb5_pa_data ***out_padata)
{
krb5_error_code ret;
krb5_pa_enc_ts pa_enc;
krb5_data *ts = NULL, *enc_ts = NULL;
krb5_enc_data enc_data;
krb5_pa_data **pa = NULL;
krb5_enctype etype = cb->get_etype(context, rock);
enc_data.ciphertext = empty_data();
if (as_key->length == 0) {
#ifdef DEBUG
fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__,
salt->length);
if ((int) salt->length > 0)
fprintf (stderr, " '%.*s'", salt->length, salt->data);
fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n",
etype, request->ktype[0]);
#endif
ret = (*gak_fct)(context, request->client, etype, prompter,
prompter_data, salt, s2kparams, as_key, gak_data);
if (ret)
goto cleanup;
TRACE_PREAUTH_ENC_TS_KEY_GAK(context, as_key);
}
/* now get the time of day, and encrypt it accordingly */
ret = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec);
if (ret)
goto cleanup;
ret = encode_krb5_pa_enc_ts(&pa_enc, &ts);
if (ret)
goto cleanup;
ret = krb5_encrypt_helper(context, as_key, KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS,
ts, &enc_data);
if (ret)
goto cleanup;
TRACE_PREAUTH_ENC_TS(context, pa_enc.patimestamp, pa_enc.pausec,
ts, &enc_data.ciphertext);
ret = encode_krb5_enc_data(&enc_data, &enc_ts);
if (ret)
goto cleanup;
pa = k5alloc(2 * sizeof(krb5_pa_data *), &ret);
if (pa == NULL)
goto cleanup;
pa[0] = k5alloc(sizeof(krb5_pa_data), &ret);
if (pa[0] == NULL)
goto cleanup;
pa[0]->magic = KV5M_PA_DATA;
pa[0]->pa_type = KRB5_PADATA_ENC_TIMESTAMP;
pa[0]->length = enc_ts->length;
pa[0]->contents = (krb5_octet *) enc_ts->data;
enc_ts->data = NULL;
pa[1] = NULL;
*out_padata = pa;
pa = NULL;
cleanup:
krb5_free_data(context, ts);
krb5_free_data(context, enc_ts);
free(enc_data.ciphertext.data);
free(pa);
return ret;
}
krb5_error_code KRB5_CALLCONV
krb5_mk_priv(krb5_context context, krb5_auth_context auth_context,
const krb5_data *userdata, krb5_data *outbuf,
krb5_replay_data *outdata)
{
krb5_error_code retval;
krb5_key key;
krb5_replay_data replaydata;
krb5_data buf = empty_data();
*outbuf = empty_data();
/* Clear replaydata block */
memset(&replaydata, 0, sizeof(krb5_replay_data));
/* Get keyblock */
if ((key = auth_context->send_subkey) == NULL)
key = auth_context->key;
/* Get replay info */
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) &&
(auth_context->rcache == NULL))
return KRB5_RC_REQUIRED;
if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
(outdata == NULL))
/* Need a better error */
return KRB5_RC_REQUIRED;
if (!auth_context->local_addr)
return KRB5_LOCAL_ADDR_REQUIRED;
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) {
if ((retval = krb5_us_timeofday(context, &replaydata.timestamp,
&replaydata.usec)))
return retval;
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) {
outdata->timestamp = replaydata.timestamp;
outdata->usec = replaydata.usec;
}
}
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) {
replaydata.seq = auth_context->local_seq_number++;
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)
outdata->seq = replaydata.seq;
}
{
krb5_address * premote_fulladdr = NULL;
krb5_address * plocal_fulladdr;
krb5_address remote_fulladdr;
krb5_address local_fulladdr;
CLEANUP_INIT(2);
if (auth_context->local_port) {
if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr,
auth_context->local_port,
&local_fulladdr))) {
CLEANUP_PUSH(local_fulladdr.contents, free);
plocal_fulladdr = &local_fulladdr;
} else {
goto error;
}
} else {
plocal_fulladdr = auth_context->local_addr;
}
if (auth_context->remote_addr) {
if (auth_context->remote_port) {
if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr,
auth_context->remote_port,
&remote_fulladdr))){
CLEANUP_PUSH(remote_fulladdr.contents, free);
premote_fulladdr = &remote_fulladdr;
} else {
CLEANUP_DONE();
goto error;
}
} else {
premote_fulladdr = auth_context->remote_addr;
}
}
if ((retval = mk_priv_basic(context, userdata, key, &replaydata,
plocal_fulladdr, premote_fulladdr,
&auth_context->cstate, &buf))) {
CLEANUP_DONE();
goto error;
}
CLEANUP_DONE();
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
krb5_donot_replay replay;
if ((retval = krb5_gen_replay_name(context, auth_context->local_addr,
"_priv", &replay.client)))
goto error;
replay.server = ""; /* XXX */
replay.msghash = NULL;
replay.cusec = replaydata.usec;
replay.ctime = replaydata.timestamp;
if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
/* should we really error out here? XXX */
free(replay.client);
goto error;
}
free(replay.client);
}
*outbuf = buf;
return 0;
error:
krb5_free_data_contents(context, &buf);
if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) ||
(auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE))
auth_context->local_seq_number--;
return retval;
}
krb5_error_code
kdc_fast_response_handle_padata(struct kdc_request_state *state,
krb5_kdc_req *request,
krb5_kdc_rep *rep, krb5_enctype enctype)
{
krb5_error_code retval = 0;
krb5_fast_finished finish;
krb5_fast_response fast_response;
krb5_data *encoded_ticket = NULL;
krb5_data *encrypted_reply = NULL;
krb5_pa_data *pa = NULL, **pa_array = NULL;
krb5_cksumtype cksumtype = CKSUMTYPE_RSA_MD5;
krb5_pa_data *empty_padata[] = {NULL};
krb5_keyblock *strengthen_key = NULL;
kdc_realm_t *kdc_active_realm = state->realm_data;
if (!state->armor_key)
return 0;
memset(&finish, 0, sizeof(finish));
retval = krb5_init_keyblock(kdc_context, enctype, 0, &strengthen_key);
if (retval == 0)
retval = krb5_c_make_random_key(kdc_context, enctype, strengthen_key);
if (retval == 0) {
state->strengthen_key = strengthen_key;
strengthen_key = NULL;
}
fast_response.padata = rep->padata;
if (fast_response.padata == NULL)
fast_response.padata = &empty_padata[0];
fast_response.strengthen_key = state->strengthen_key;
fast_response.nonce = request->nonce;
fast_response.finished = &finish;
finish.client = rep->client;
pa_array = calloc(3, sizeof(*pa_array));
if (pa_array == NULL)
retval = ENOMEM;
pa = calloc(1, sizeof(krb5_pa_data));
if (retval == 0 && pa == NULL)
retval = ENOMEM;
if (retval == 0)
retval = krb5_us_timeofday(kdc_context, &finish.timestamp, &finish.usec);
if (retval == 0)
retval = encode_krb5_ticket(rep->ticket, &encoded_ticket);
if (retval == 0)
retval = krb5int_c_mandatory_cksumtype(kdc_context,
state->armor_key->enctype,
&cksumtype);
if (retval == 0)
retval = krb5_c_make_checksum(kdc_context, cksumtype,
state->armor_key,
KRB5_KEYUSAGE_FAST_FINISHED,
encoded_ticket, &finish.ticket_checksum);
if (retval == 0)
retval = encrypt_fast_reply(state, &fast_response, &encrypted_reply);
if (retval == 0) {
pa[0].pa_type = KRB5_PADATA_FX_FAST;
pa[0].length = encrypted_reply->length;
pa[0].contents = (unsigned char *) encrypted_reply->data;
pa_array[0] = &pa[0];
krb5_free_pa_data(kdc_context, rep->padata);
rep->padata = pa_array;
pa_array = NULL;
free(encrypted_reply);
encrypted_reply = NULL;
pa = NULL;
}
if (pa)
free(pa);
if (pa_array)
free(pa_array);
if (encrypted_reply)
krb5_free_data(kdc_context, encrypted_reply);
if (encoded_ticket)
krb5_free_data(kdc_context, encoded_ticket);
if (strengthen_key != NULL)
krb5_free_keyblock(kdc_context, strengthen_key);
if (finish.ticket_checksum.contents)
krb5_free_checksum_contents(kdc_context, &finish.ticket_checksum);
return retval;
}