/* Populate mech_oid and mech_token with the next entry in token, using aliased
* memory from token. Advance token by the amount consumed. */
static OM_uint32
get_entry(OM_uint32 *minor_status, gss_buffer_t token, gss_OID mech_oid,
gss_buffer_t mech_token)
{
OM_uint32 len;
/* Get the mechanism OID. */
if (token->length < 4)
return GSS_S_DEFECTIVE_TOKEN;
len = load_32_be(token->value);
if (token->length - 4 < len)
return GSS_S_DEFECTIVE_TOKEN;
mech_oid->length = len;
mech_oid->elements = (char *)token->value + 4;
token->value = (char *)token->value + 4 + len;
token->length -= 4 + len;
/* Get the mechanism token. */
if (token->length < 4)
return GSS_S_DEFECTIVE_TOKEN;
len = load_32_be(token->value);
if (token->length - 4 < len)
return GSS_S_DEFECTIVE_TOKEN;
mech_token->length = len;
mech_token->value = (char *)token->value + 4;
token->value = (char *)token->value + 4 + len;
token->length -= 4 + len;
return GSS_S_COMPLETE;
}
static krb5_error_code
nonce_verify(krb5_context ctx, krb5_keyblock *armor_key,
const krb5_data *nonce)
{
krb5_error_code retval;
krb5_timestamp ts;
krb5_data *er = NULL;
if (armor_key == NULL || nonce->data == NULL) {
retval = EINVAL;
goto out;
}
/* Decode the PA-OTP-ENC-REQUEST structure. */
retval = decode_krb5_pa_otp_enc_req(nonce, &er);
if (retval != 0)
goto out;
/* Make sure the nonce is exactly the same size as the one generated. */
if (er->length != armor_key->length + sizeof(krb5_timestamp))
goto out;
/* Check to make sure the timestamp at the beginning is still valid. */
ts = load_32_be(er->data);
retval = krb5_check_clockskew(ctx, ts);
out:
krb5_free_data(ctx, er);
return retval;
}
/*
* krb5_ser_unpack_int32() - Unpack a 4-byte integer if it's there.
*/
krb5_error_code KRB5_CALLCONV
krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp)
{
if (*remainp >= sizeof(krb5_int32)) {
*intp = load_32_be(*bufp);
*bufp += sizeof(krb5_int32);
*remainp -= sizeof(krb5_int32);
return(0);
}
else
return(ENOMEM);
}
static int unpack_int32(prof_int32 *intp, unsigned char **bufpp,
size_t *remainp)
{
if (*remainp >= sizeof(prof_int32)) {
*intp = load_32_be(*bufpp);
*bufpp += sizeof(prof_int32);
*remainp -= sizeof(prof_int32);
return 0;
}
else
return 1;
}
/* Return true on usable data. */
static krb5_boolean
service_tcp_read(krb5_context context, const krb5_data *realm,
struct conn_state *conn, struct select_state *selstate)
{
ssize_t nread;
int e = 0;
struct incoming_message *in = &conn->in;
if (in->bufsizebytes_read == 4) {
/* Reading data. */
nread = SOCKET_READ(conn->fd, &in->buf[in->pos], in->n_left);
if (nread <= 0) {
e = nread ? SOCKET_ERRNO : ECONNRESET;
TRACE_SENDTO_KDC_TCP_ERROR_RECV(context, &conn->addr, e);
kill_conn(context, conn, selstate);
return FALSE;
}
in->n_left -= nread;
in->pos += nread;
if (in->n_left <= 0)
return TRUE;
} else {
/* Reading length. */
nread = SOCKET_READ(conn->fd, in->bufsizebytes + in->bufsizebytes_read,
4 - in->bufsizebytes_read);
if (nread <= 0) {
e = nread ? SOCKET_ERRNO : ECONNRESET;
TRACE_SENDTO_KDC_TCP_ERROR_RECV_LEN(context, &conn->addr, e);
kill_conn(context, conn, selstate);
return FALSE;
}
in->bufsizebytes_read += nread;
if (in->bufsizebytes_read == 4) {
unsigned long len = load_32_be(in->bufsizebytes);
/* Arbitrary 1M cap. */
if (len > 1 * 1024 * 1024) {
kill_conn(context, conn, selstate);
return FALSE;
}
in->bufsize = in->n_left = len;
in->pos = 0;
in->buf = malloc(len);
if (in->buf == NULL) {
kill_conn(context, conn, selstate);
return FALSE;
}
}
}
return FALSE;
}
/* Load four bytes from the cache file and return their value as a 32-bit
* unsigned integer according to the file format. Also append them to buf. */
static krb5_error_code
read32(krb5_context context, krb5_ccache id, struct k5buf *buf, uint32_t *out)
{
krb5_error_code ret;
char bytes[4];
k5_cc_mutex_assert_locked(context, &((fcc_data *)id->data)->lock);
ret = read_bytes(context, id, bytes, 4);
if (ret)
return ret;
if (buf != NULL)
k5_buf_add_len(buf, bytes, 4);
*out = (version(id) < 3) ? load_32_n(bytes) : load_32_be(bytes);
return 0;
}
/* Return true on readable, valid KKDCPP data. */
static krb5_boolean
service_https_read(krb5_context context, const krb5_data *realm,
struct conn_state *conn, struct select_state *selstate)
{
krb5_kkdcp_message *pm = NULL;
krb5_data buf;
const char *rep;
struct incoming_message *in = &conn->in;
/* Read data through the encryption layer. */
if (!https_read_bytes(context, conn, selstate))
return FALSE;
/* Find the beginning of the response body. */
rep = strstr(in->buf, "\r\n\r\n");
if (rep == NULL)
goto kill_conn;
rep += 4;
/* Decode the response. */
buf = make_data((char *)rep, in->pos - (rep - in->buf));
if (decode_krb5_kkdcp_message(&buf, &pm) != 0)
goto kill_conn;
/* Check and discard the message length at the front of the kerb_message
* field after decoding. If it's wrong or missing, something broke. */
if (pm->kerb_message.length < 4 ||
load_32_be(pm->kerb_message.data) != pm->kerb_message.length - 4) {
goto kill_conn;
}
/* Replace all of the content that we read back with just the message. */
memcpy(in->buf, pm->kerb_message.data + 4, pm->kerb_message.length - 4);
in->pos = pm->kerb_message.length - 4;
k5_free_kkdcp_message(context, pm);
return TRUE;
kill_conn:
TRACE_SENDTO_KDC_HTTPS_ERROR(context, in->buf);
k5_free_kkdcp_message(context, pm);
kill_conn(context, conn, selstate);
return FALSE;
}
int main ()
{
/* Test some low-level assumptions the Kerberos code depends
on. */
union {
uint64_t n64;
uint32_t n32;
uint16_t n16;
unsigned char b[9];
} u;
static unsigned char buf[9] = { 0, 1, 2, 3, 4, 5, 6, 7, 8 };
assert(load_64_be(buf+1) == 0x0102030405060708LL);
assert(load_64_le(buf+1) == 0x0807060504030201LL);
assert(load_32_le(buf+2) == 0x05040302);
assert(load_32_be(buf+2) == 0x02030405);
assert(load_16_be(buf+3) == 0x0304);
assert(load_16_le(buf+3) == 0x0403);
u.b[0] = 0;
assert((store_64_be(0x0102030405060708LL, u.b+1), !memcmp(buf, u.b, 9)));
u.b[1] = 9;
assert((store_64_le(0x0807060504030201LL, u.b+1), !memcmp(buf, u.b, 9)));
u.b[2] = 10;
assert((store_32_be(0x02030405, u.b+2), !memcmp(buf, u.b, 9)));
u.b[3] = 11;
assert((store_32_le(0x05040302, u.b+2), !memcmp(buf, u.b, 9)));
u.b[4] = 12;
assert((store_16_be(0x0304, u.b+3), !memcmp(buf, u.b, 9)));
u.b[4] = 13;
assert((store_16_le(0x0403, u.b+3), !memcmp(buf, u.b, 9)));
/* Verify that load_*_n properly does native format. Assume
the unaligned thing is okay. */
u.n64 = 0x090a0b0c0d0e0f00LL;
assert(load_64_n((unsigned char *) &u.n64) == 0x090a0b0c0d0e0f00LL);
u.n32 = 0x06070809;
assert(load_32_n((unsigned char *) &u.n32) == 0x06070809);
u.n16 = 0x0a0b;
assert(load_16_n((unsigned char *) &u.n16) == 0x0a0b);
return 0;
}
OM_uint32
gss_krb5int_unseal_token_v3(krb5_context *contextptr,
OM_uint32 *minor_status,
krb5_gss_ctx_id_rec *ctx,
unsigned char *ptr, int bodysize,
gss_buffer_t message_buffer,
int *conf_state, int *qop_state, int toktype)
{
krb5_context context = *contextptr;
krb5_data plain;
gssint_uint64 seqnum;
size_t ec, rrc;
int key_usage;
unsigned char acceptor_flag;
krb5_checksum sum;
krb5_error_code err;
krb5_boolean valid;
krb5_keyblock *key;
ASSERT(toktype != KG_TOK_SEAL_MSG || ctx->enc != 0);
ASSERT(ctx->big_endian == 0);
ASSERT(ctx->proto == 1);
if (qop_state)
*qop_state = GSS_C_QOP_DEFAULT;
acceptor_flag = ctx->initiate ? FLAG_SENDER_IS_ACCEPTOR : 0;
key_usage = (toktype == KG_TOK_WRAP_MSG
? (!ctx->initiate
? KG_USAGE_INITIATOR_SEAL
: KG_USAGE_ACCEPTOR_SEAL)
: (!ctx->initiate
? KG_USAGE_INITIATOR_SIGN
: KG_USAGE_ACCEPTOR_SIGN));
/* Oops. I wrote this code assuming ptr would be at the start of
the token header. */
ptr -= 2;
bodysize += 2;
if (bodysize < 16) {
defective:
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
return GSS_S_BAD_SIG;
}
/* Two things to note here.
First, we can't really enforce the use of the acceptor's subkey,
if we're the acceptor; the initiator may have sent messages
before getting the subkey. We could probably enforce it if
we're the initiator.
Second, if someone tweaks the code to not set the flag telling
the krb5 library to generate a new subkey in the AP-REP
message, the MIT library may include a subkey anyways --
namely, a copy of the AP-REQ subkey, if it was provided. So
the initiator may think we wanted a subkey, and set the flag,
even though we weren't trying to set the subkey. The "other"
key, the one not asserted by the acceptor, will have the same
value in that case, though, so we can just ignore the flag. */
if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) {
key = ctx->acceptor_subkey;
} else {
key = ctx->enc;
}
#ifdef _KERNEL
context->kef_cipher_mt = get_cipher_mech_type(context, key);
context->kef_hash_mt = get_hash_mech_type(context, key);
if ((err = init_key_kef(context->kef_cipher_mt, key))) {
return (GSS_S_FAILURE);
}
#endif /* _KERNEL */
if (toktype == KG_TOK_WRAP_MSG) {
if (load_16_be(ptr) != 0x0504)
goto defective;
if (ptr[3] != 0xff)
goto defective;
ec = load_16_be(ptr+4);
rrc = load_16_be(ptr+6);
seqnum = load_64_be(ptr+8);
if (!rotate_left(ptr+16, bodysize-16, rrc)) {
no_mem:
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) {
/* confidentiality */
krb5_enc_data cipher;
unsigned char *althdr;
size_t plainlen;
if (conf_state)
*conf_state = 1;
/* Do we have no decrypt_size function?
For all current cryptosystems, the ciphertext size will
be larger than the plaintext size. */
cipher.enctype = key->enctype;
cipher.ciphertext.length = bodysize - 16;
cipher.ciphertext.data = (char *)ptr + 16;
plain.length = plainlen = bodysize - 16;
plain.data = MALLOC(plain.length);
if (plain.data == NULL)
goto no_mem;
err = krb5_c_decrypt(context, key, key_usage, 0,
&cipher, &plain);
if (err) {
goto error;
}
/* Don't use bodysize here! Use the fact that
plain.length has been adjusted to the
correct length. */
althdr = (uchar_t *)plain.data + plain.length - 16;
if (load_16_be(althdr) != 0x0504
|| althdr[2] != ptr[2]
|| althdr[3] != ptr[3]
|| memcmp(althdr+8, ptr+8, 8)) {
FREE(plain.data, plainlen);
goto defective;
}
message_buffer->length = plain.length - ec - 16;
message_buffer->value = MALLOC(message_buffer->length);
if (message_buffer->value == NULL) {
FREE(plain.data, plainlen);
goto no_mem;
}
(void) memcpy(message_buffer->value, plain.data,
message_buffer->length);
FREE(plain.data, plainlen);
} else {
/* no confidentiality */
if (conf_state)
*conf_state = 0;
if (ec + 16 < ec)
/* overflow check */
goto defective;
if (ec + 16 > bodysize)
goto defective;
/* We have: header | msg | cksum.
We need cksum(msg | header).
Rotate the first two. */
store_16_be(0, ptr+4);
store_16_be(0, ptr+6);
plain.length = bodysize-ec;
plain.data = (char *)ptr;
if (!rotate_left(ptr, bodysize-ec, 16))
goto no_mem;
sum.length = ec;
if (sum.length != ctx->cksum_size) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
sum.contents = ptr+bodysize-ec;
sum.checksum_type = ctx->cksumtype;
err = krb5_c_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
if (err) {
*minor_status = err;
return GSS_S_BAD_SIG;
}
if (!valid) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
message_buffer->length = plain.length - 16;
message_buffer->value = MALLOC(message_buffer->length);
if (message_buffer->value == NULL)
goto no_mem;
(void) memcpy(message_buffer->value,
plain.data, message_buffer->length);
/*
* Solaris Kerberos: Restore the original token.
* This allows the token to be detected as a duplicate if it
* is passed in to gss_unwrap() again.
*/
if (!rotate_left(ptr, bodysize-ec, bodysize - ec - 16))
goto no_mem;
store_16_be(ec, ptr+4);
store_16_be(rrc, ptr+6);
}
err = g_order_check(&ctx->seqstate, seqnum);
*minor_status = 0;
return err;
} else if (toktype == KG_TOK_MIC_MSG) {
/* wrap token, no confidentiality */
if (load_16_be(ptr) != 0x0404)
goto defective;
verify_mic_1:
if (ptr[3] != 0xff)
goto defective;
if (load_32_be(ptr+4) != (ulong_t)0xffffffffU)
goto defective;
seqnum = load_64_be(ptr+8);
plain.length = message_buffer->length + 16;
plain.data = MALLOC(plain.length);
if (plain.data == NULL)
goto no_mem;
if (message_buffer->length)
(void) memcpy(plain.data,
message_buffer->value, message_buffer->length);
(void) memcpy(plain.data + message_buffer->length, ptr, 16);
sum.length = bodysize - 16;
sum.contents = ptr + 16;
sum.checksum_type = ctx->cksumtype;
err = krb5_c_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
if (err) {
error:
FREE(plain.data, plain.length);
*minor_status = err;
save_error_info(*minor_status, context);
return GSS_S_BAD_SIG; /* XXX */
}
FREE(plain.data, plain.length);
if (!valid) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
err = g_order_check(&ctx->seqstate, seqnum);
*minor_status = 0;
return err;
} else if (toktype == KG_TOK_DEL_CTX) {
if (load_16_be(ptr) != 0x0405)
goto defective;
message_buffer = (gss_buffer_t)&empty_message;
goto verify_mic_1;
} else {
goto defective;
}
}
/*
* Locate and decode the FAST cookie in req, storing its contents in state for
* later access by preauth modules. If the cookie is expired, return
* KRB5KDC_ERR_PREAUTH_EXPIRED if its contents are relevant to req, and ignore
* it if they aren't.
*/
krb5_error_code
kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state,
krb5_kdc_req *req, krb5_db_entry *local_tgt)
{
krb5_error_code ret;
krb5_secure_cookie *cookie = NULL;
krb5_timestamp now;
krb5_keyblock *key = NULL;
krb5_enc_data enc;
krb5_pa_data *pa;
krb5_kvno kvno;
krb5_data plain = empty_data();
pa = krb5int_find_pa_data(context, req->padata, KRB5_PADATA_FX_COOKIE);
if (pa == NULL)
return 0;
/* If it's not an MIT version 1 cookie, ignore it. It may be an empty
* "MIT" cookie or a cookie generated by a different KDC implementation. */
if (pa->length <= 8 || memcmp(pa->contents, "MIT1", 4) != 0)
return 0;
/* Extract the kvno and generate the corresponding cookie key. */
kvno = load_32_be(pa->contents + 4);
ret = get_cookie_key(context, local_tgt, kvno, req->client, &key, NULL);
if (ret)
goto cleanup;
/* Decrypt and decode the cookie. */
memset(&enc, 0, sizeof(enc));
enc.enctype = key->enctype;
enc.ciphertext = make_data(pa->contents + 8, pa->length - 8);
ret = alloc_data(&plain, pa->length - 8);
if (ret)
goto cleanup;
ret = krb5_c_decrypt(context, key, KRB5_KEYUSAGE_PA_FX_COOKIE, NULL, &enc,
&plain);
if (ret)
goto cleanup;
ret = decode_krb5_secure_cookie(&plain, &cookie);
if (ret)
goto cleanup;
/* Check if the cookie is expired. */
ret = krb5_timeofday(context, &now);
if (ret)
goto cleanup;
if (now - COOKIE_LIFETIME > cookie->time) {
/* Don't accept the cookie contents. Only return an error if the
* cookie is relevant to the request. */
if (is_relevant(cookie->data, req->padata))
ret = KRB5KDC_ERR_PREAUTH_EXPIRED;
goto cleanup;
}
/* Steal the pa-data list pointer from the cookie and store it in state. */
state->in_cookie_padata = cookie->data;
cookie->data = NULL;
cleanup:
zapfree(plain.data, plain.length);
krb5_free_keyblock(context, key);
k5_free_secure_cookie(context, cookie);
return 0;
}
OM_uint32
gss_krb5int_unseal_token_v3(krb5_context *contextptr,
OM_uint32 *minor_status,
krb5_gss_ctx_id_rec *ctx,
unsigned char *ptr, unsigned int bodysize,
gss_buffer_t message_buffer,
int *conf_state, gss_qop_t *qop_state, int toktype)
{
krb5_context context = *contextptr;
krb5_data plain;
uint64_t seqnum;
size_t ec, rrc;
int key_usage;
unsigned char acceptor_flag;
krb5_checksum sum;
krb5_error_code err;
krb5_boolean valid;
krb5_key key;
krb5_cksumtype cksumtype;
if (qop_state)
*qop_state = GSS_C_QOP_DEFAULT;
acceptor_flag = ctx->initiate ? FLAG_SENDER_IS_ACCEPTOR : 0;
key_usage = (toktype == KG_TOK_WRAP_MSG
? (!ctx->initiate
? KG_USAGE_INITIATOR_SEAL
: KG_USAGE_ACCEPTOR_SEAL)
: (!ctx->initiate
? KG_USAGE_INITIATOR_SIGN
: KG_USAGE_ACCEPTOR_SIGN));
/* Oops. I wrote this code assuming ptr would be at the start of
the token header. */
ptr -= 2;
bodysize += 2;
if (bodysize < 16) {
defective:
*minor_status = 0;
return GSS_S_DEFECTIVE_TOKEN;
}
if ((ptr[2] & FLAG_SENDER_IS_ACCEPTOR) != acceptor_flag) {
*minor_status = (OM_uint32)G_BAD_DIRECTION;
return GSS_S_BAD_SIG;
}
/* Two things to note here.
First, we can't really enforce the use of the acceptor's subkey,
if we're the acceptor; the initiator may have sent messages
before getting the subkey. We could probably enforce it if
we're the initiator.
Second, if someone tweaks the code to not set the flag telling
the krb5 library to generate a new subkey in the AP-REP
message, the MIT library may include a subkey anyways --
namely, a copy of the AP-REQ subkey, if it was provided. So
the initiator may think we wanted a subkey, and set the flag,
even though we weren't trying to set the subkey. The "other"
key, the one not asserted by the acceptor, will have the same
value in that case, though, so we can just ignore the flag. */
if (ctx->have_acceptor_subkey && (ptr[2] & FLAG_ACCEPTOR_SUBKEY)) {
key = ctx->acceptor_subkey;
cksumtype = ctx->acceptor_subkey_cksumtype;
} else {
key = ctx->subkey;
cksumtype = ctx->cksumtype;
}
assert(key != NULL);
if (toktype == KG_TOK_WRAP_MSG) {
if (load_16_be(ptr) != KG2_TOK_WRAP_MSG)
goto defective;
if (ptr[3] != 0xff)
goto defective;
ec = load_16_be(ptr+4);
rrc = load_16_be(ptr+6);
seqnum = load_64_be(ptr+8);
if (!gss_krb5int_rotate_left(ptr+16, bodysize-16, rrc)) {
no_mem:
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
if (ptr[2] & FLAG_WRAP_CONFIDENTIAL) {
/* confidentiality */
krb5_enc_data cipher;
unsigned char *althdr;
if (conf_state)
*conf_state = 1;
/* Do we have no decrypt_size function?
For all current cryptosystems, the ciphertext size will
be larger than the plaintext size. */
cipher.enctype = key->keyblock.enctype;
cipher.ciphertext.length = bodysize - 16;
cipher.ciphertext.data = (char *)ptr + 16;
plain.length = bodysize - 16;
plain.data = gssalloc_malloc(plain.length);
if (plain.data == NULL)
goto no_mem;
err = krb5_k_decrypt(context, key, key_usage, 0,
&cipher, &plain);
if (err) {
gssalloc_free(plain.data);
goto error;
}
/* Don't use bodysize here! Use the fact that
cipher.ciphertext.length has been adjusted to the
correct length. */
althdr = (unsigned char *)plain.data + plain.length - 16;
if (load_16_be(althdr) != KG2_TOK_WRAP_MSG
|| althdr[2] != ptr[2]
|| althdr[3] != ptr[3]
|| memcmp(althdr+8, ptr+8, 8)) {
free(plain.data);
goto defective;
}
message_buffer->value = plain.data;
message_buffer->length = plain.length - ec - 16;
if(message_buffer->length == 0) {
gssalloc_free(message_buffer->value);
message_buffer->value = NULL;
}
} else {
size_t cksumsize;
err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
if (err)
goto error;
/* no confidentiality */
if (conf_state)
*conf_state = 0;
if (ec + 16 < ec)
/* overflow check */
goto defective;
if (ec + 16 > bodysize)
goto defective;
/* We have: header | msg | cksum.
We need cksum(msg | header).
Rotate the first two. */
store_16_be(0, ptr+4);
store_16_be(0, ptr+6);
plain = make_data(ptr, bodysize - ec);
if (!gss_krb5int_rotate_left(ptr, bodysize-ec, 16))
goto no_mem;
sum.length = ec;
if (sum.length != cksumsize) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
sum.contents = ptr+bodysize-ec;
sum.checksum_type = cksumtype;
err = krb5_k_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
if (err)
goto error;
if (!valid) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
message_buffer->length = plain.length - 16;
message_buffer->value = gssalloc_malloc(message_buffer->length);
if (message_buffer->value == NULL)
goto no_mem;
memcpy(message_buffer->value, plain.data, message_buffer->length);
}
err = g_seqstate_check(ctx->seqstate, seqnum);
*minor_status = 0;
return err;
} else if (toktype == KG_TOK_MIC_MSG) {
/* wrap token, no confidentiality */
if (load_16_be(ptr) != KG2_TOK_MIC_MSG)
goto defective;
verify_mic_1:
if (ptr[3] != 0xff)
goto defective;
if (load_32_be(ptr+4) != 0xffffffffL)
goto defective;
seqnum = load_64_be(ptr+8);
plain.length = message_buffer->length + 16;
plain.data = malloc(plain.length);
if (plain.data == NULL)
goto no_mem;
if (message_buffer->length)
memcpy(plain.data, message_buffer->value, message_buffer->length);
memcpy(plain.data + message_buffer->length, ptr, 16);
sum.length = bodysize - 16;
sum.contents = ptr + 16;
sum.checksum_type = cksumtype;
err = krb5_k_verify_checksum(context, key, key_usage,
&plain, &sum, &valid);
free(plain.data);
plain.data = NULL;
if (err) {
error:
*minor_status = err;
save_error_info(*minor_status, context);
return GSS_S_BAD_SIG; /* XXX */
}
if (!valid) {
*minor_status = 0;
return GSS_S_BAD_SIG;
}
err = g_seqstate_check(ctx->seqstate, seqnum);
*minor_status = 0;
return err;
} else if (toktype == KG_TOK_DEL_CTX) {
if (load_16_be(ptr) != KG2_TOK_DEL_CTX)
goto defective;
message_buffer = (gss_buffer_t)&empty_message;
goto verify_mic_1;
} else {
goto defective;
}
}
static krb5_error_code
pbkdf2_string_to_key(const struct krb5_keytypes *ktp, const krb5_data *string,
const krb5_data *salt, const krb5_data *pepper,
const krb5_data *params, krb5_keyblock *key,
enum deriv_alg deriv_alg, unsigned long def_iter_count)
{
const struct krb5_hash_provider *hash;
unsigned long iter_count;
krb5_data out;
static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
krb5_key tempkey = NULL;
krb5_error_code err;
krb5_data sandp = empty_data();
if (params) {
unsigned char *p = (unsigned char *) params->data;
if (params->length != 4)
return KRB5_ERR_BAD_S2K_PARAMS;
iter_count = load_32_be(p);
/* Zero means 2^32, which is way above what we will accept. Also don't
* accept values less than the default, unless we're running tests. */
if (iter_count == 0 ||
(!k5_allow_weak_pbkdf2iter && iter_count < def_iter_count))
return KRB5_ERR_BAD_S2K_PARAMS;
} else
iter_count = def_iter_count;
/* This is not a protocol specification constraint; this is an
implementation limit, which should eventually be controlled by
a config file. */
if (iter_count >= MAX_ITERATION_COUNT)
return KRB5_ERR_BAD_S2K_PARAMS;
/* Use the output keyblock contents for temporary space. */
out.data = (char *) key->contents;
out.length = key->length;
if (out.length != 16 && out.length != 32)
return KRB5_CRYPTO_INTERNAL;
if (pepper != NULL) {
err = alloc_data(&sandp, pepper->length + 1 + salt->length);
if (err)
return err;
if (pepper->length > 0)
memcpy(sandp.data, pepper->data, pepper->length);
sandp.data[pepper->length] = '\0';
if (salt->length > 0)
memcpy(&sandp.data[pepper->length + 1], salt->data, salt->length);
salt = &sandp;
}
hash = (ktp->hash != NULL) ? ktp->hash : &krb5int_hash_sha1;
err = krb5int_pbkdf2_hmac(hash, &out, iter_count, string, salt);
if (err)
goto cleanup;
err = krb5_k_create_key (NULL, key, &tempkey);
if (err)
goto cleanup;
err = krb5int_derive_keyblock(ktp->enc, ktp->hash, tempkey, key, &usage,
deriv_alg);
cleanup:
if (sandp.data)
free(sandp.data);
if (err)
memset (out.data, 0, out.length);
krb5_k_free_key (NULL, tempkey);
return err;
}
static krb5_error_code
decode_ad_policy_info(const krb5_data *data, char **msg_out)
{
struct ad_policy_info policy;
uint64_t password_days;
const char *p;
char *msg;
struct k5buf buf;
*msg_out = NULL;
if (data->length != AD_POLICY_INFO_LENGTH)
return 0;
p = data->data;
policy.zero_bytes = load_16_be(p);
p += 2;
/* first two bytes are zeros */
if (policy.zero_bytes != 0)
return 0;
/* Read in the rest of structure */
policy.min_length_password = load_32_be(p);
p += 4;
policy.password_history = load_32_be(p);
p += 4;
policy.password_properties = load_32_be(p);
p += 4;
policy.expire = load_64_be(p);
p += 8;
policy.min_passwordage = load_64_be(p);
p += 8;
/* Check that we processed exactly the expected number of bytes. */
assert(p == data->data + AD_POLICY_INFO_LENGTH);
krb5int_buf_init_dynamic(&buf);
/*
* Update src/tests/misc/test_chpw_message.c if changing these strings!
*/
if (policy.password_properties & AD_POLICY_COMPLEX) {
krb5int_buf_add(&buf,
_("The password must include numbers or symbols. "
"Don't include any part of your name in the "
"password."));
}
if (policy.min_length_password > 0) {
add_spaces(&buf);
krb5int_buf_add_fmt(&buf,
ngettext("The password must contain at least %d "
"character.",
"The password must contain at least %d "
"characters.",
policy.min_length_password),
policy.min_length_password);
}
if (policy.password_history) {
add_spaces(&buf);
krb5int_buf_add_fmt(&buf,
ngettext("The password must be different from the "
"previous password.",
"The password must be different from the "
"previous %d passwords.",
policy.password_history),
policy.password_history);
}
if (policy.min_passwordage) {
password_days = policy.min_passwordage / AD_POLICY_TIME_TO_DAYS;
if (password_days == 0)
password_days = 1;
add_spaces(&buf);
krb5int_buf_add_fmt(&buf,
ngettext("The password can only be changed once a "
"day.",
"The password can only be changed every "
"%d days.", (int)password_days),
(int)password_days);
}
msg = krb5int_buf_data(&buf);
if (msg == NULL)
return ENOMEM;
if (*msg != '\0')
*msg_out = msg;
else
free(msg);
return 0;
}
static int
service_tcp_fd(krb5_context context, struct conn_state *conn,
struct select_state *selstate, int ssflags)
{
int e = 0;
ssize_t nwritten, nread;
if (!(ssflags & (SSF_READ|SSF_WRITE|SSF_EXCEPTION)))
abort();
switch (conn->state) {
SOCKET_WRITEV_TEMP tmp;
case CONNECTING:
if (ssflags & SSF_READ) {
/* Bad -- the KDC shouldn't be sending to us first. */
e = EINVAL /* ?? */;
kill_conn:
TRACE_SENDTO_KDC_TCP_DISCONNECT(context, conn);
kill_conn(conn, selstate, e);
if (e == EINVAL) {
closesocket(conn->fd);
conn->fd = INVALID_SOCKET;
}
return e == 0;
}
if (ssflags & SSF_EXCEPTION) {
handle_exception:
e = get_so_error(conn->fd);
if (e)
dprint("socket error on exception fd: %m", e);
else
dprint("no socket error info available on exception fd");
goto kill_conn;
}
/*
* Connect finished -- but did it succeed or fail?
* UNIX sets can_write if failed.
* Call getsockopt to see if error pending.
*
* (For most UNIX systems it works to just try writing the
* first time and detect an error. But Bill Dodd at IBM
* reports that some version of AIX, SIGPIPE can result.)
*/
e = get_so_error(conn->fd);
if (e) {
TRACE_SENDTO_KDC_TCP_ERROR_CONNECT(context, conn, e);
dprint("socket error on write fd: %m", e);
goto kill_conn;
}
conn->state = WRITING;
goto try_writing;
case WRITING:
if (ssflags & SSF_READ) {
e = E2BIG;
/* Bad -- the KDC shouldn't be sending anything yet. */
goto kill_conn;
}
if (ssflags & SSF_EXCEPTION)
goto handle_exception;
try_writing:
dprint("trying to writev %d (%d bytes) to fd %d\n",
conn->x.out.sg_count,
((conn->x.out.sg_count == 2 ? SG_LEN(&conn->x.out.sgp[1]) : 0)
+ SG_LEN(&conn->x.out.sgp[0])),
conn->fd);
TRACE_SENDTO_KDC_TCP_SEND(context, conn);
nwritten = SOCKET_WRITEV(conn->fd, conn->x.out.sgp,
conn->x.out.sg_count, tmp);
if (nwritten < 0) {
e = SOCKET_ERRNO;
TRACE_SENDTO_KDC_TCP_ERROR_SEND(context, conn, e);
dprint("failed: %m\n", e);
goto kill_conn;
}
dprint("wrote %d bytes\n", nwritten);
while (nwritten) {
sg_buf *sgp = conn->x.out.sgp;
if ((size_t) nwritten < SG_LEN(sgp)) {
SG_ADVANCE(sgp, (size_t) nwritten);
nwritten = 0;
} else {
nwritten -= SG_LEN(sgp);
conn->x.out.sgp++;
conn->x.out.sg_count--;
if (conn->x.out.sg_count == 0 && nwritten != 0)
/* Wrote more than we wanted to? */
abort();
}
}
if (conn->x.out.sg_count == 0) {
/* Done writing, switch to reading. */
/* Don't call shutdown at this point because
* some implementations cannot deal with half-closed connections.*/
FD_CLR(conn->fd, &selstate->wfds);
/* Q: How do we detect failures to send the remaining data
to the remote side, since we're in non-blocking mode?
Will we always get errors on the reading side? */
dprint("switching fd %d to READING\n", conn->fd);
conn->state = READING;
conn->x.in.bufsizebytes_read = 0;
conn->x.in.bufsize = 0;
conn->x.in.buf = 0;
conn->x.in.pos = 0;
conn->x.in.n_left = 0;
}
return 0;
case READING:
if (ssflags & SSF_EXCEPTION) {
if (conn->x.in.buf) {
free(conn->x.in.buf);
conn->x.in.buf = 0;
}
goto handle_exception;
}
if (conn->x.in.bufsizebytes_read == 4) {
/* Reading data. */
dprint("reading %d bytes of data from fd %d\n",
(int) conn->x.in.n_left, conn->fd);
nread = SOCKET_READ(conn->fd, conn->x.in.pos, conn->x.in.n_left);
if (nread <= 0) {
e = nread ? SOCKET_ERRNO : ECONNRESET;
free(conn->x.in.buf);
conn->x.in.buf = 0;
TRACE_SENDTO_KDC_TCP_ERROR_RECV(context, conn, e);
goto kill_conn;
}
conn->x.in.n_left -= nread;
conn->x.in.pos += nread;
if (conn->x.in.n_left <= 0) {
/* We win! */
return 1;
}
} else {
/* Reading length. */
nread = SOCKET_READ(conn->fd,
conn->x.in.bufsizebytes + conn->x.in.bufsizebytes_read,
4 - conn->x.in.bufsizebytes_read);
if (nread < 0) {
TRACE_SENDTO_KDC_TCP_ERROR_RECV_LEN(context, conn, e);
e = SOCKET_ERRNO;
goto kill_conn;
}
conn->x.in.bufsizebytes_read += nread;
if (conn->x.in.bufsizebytes_read == 4) {
unsigned long len = load_32_be (conn->x.in.bufsizebytes);
dprint("received length on fd %d is %d\n", conn->fd, (int)len);
/* Arbitrary 1M cap. */
if (len > 1 * 1024 * 1024) {
e = E2BIG;
goto kill_conn;
}
conn->x.in.bufsize = conn->x.in.n_left = len;
conn->x.in.buf = conn->x.in.pos = malloc(len);
dprint("allocated %d byte buffer at %p\n", (int) len,
conn->x.in.buf);
if (conn->x.in.buf == 0) {
/* allocation failure */
e = ENOMEM;
goto kill_conn;
}
}
}
break;
default:
abort();
}
return 0;
}
