krb5_error_code
handle_authdata (krb5_context context,
unsigned int flags,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply)
{
krb5_error_code code = 0;
int i;
for (i = 0; i < n_authdata_systems; i++) {
const krb5_authdata_systems *asys = &authdata_systems[i];
if (isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS) &&
!isflagset(asys->flags, AUTHDATA_FLAG_ANONYMOUS))
continue;
switch (asys->type) {
case AUTHDATA_SYSTEM_V0:
/* V0 was only in AS-REQ code path */
if (request->msg_type != KRB5_AS_REQ)
continue;
code = (*asys->handle_authdata.v0)(context, client, req_pkt,
request, enc_tkt_reply);
break;
case AUTHDATA_SYSTEM_V2:
code = (*asys->handle_authdata.v2)(context, flags,
client, server, krbtgt,
client_key, server_key, krbtgt_key,
req_pkt, request, for_user_princ,
enc_tkt_request,
enc_tkt_reply);
break;
default:
code = 0;
break;
}
if (code != 0) {
const char *emsg;
emsg = krb5_get_error_message (context, code);
krb5_klog_syslog(LOG_INFO, _("authdata (%s) handling failure: %s"),
asys->name, emsg);
krb5_free_error_message (context, emsg);
if (asys->flags & AUTHDATA_FLAG_CRITICAL)
break;
}
}
return code;
}
/* Set the key for krb_rd_req so we can check tgt */
static int
set_tgtkey(char *r, krb5_kvno kvno, krb5_boolean use_3des)
{
int n;
static char lastrealm[REALM_SZ] = "";
static int last_kvno = 0;
static krb5_boolean last_use_3des = 0;
static int more;
Principal p_st;
Principal *p = &p_st;
C_Block key;
krb5_keyblock k5key;
k5key.contents = NULL;
if (!strcmp(lastrealm, r) && last_kvno == kvno && last_use_3des == use_3des)
return (KSUCCESS);
/* log("Getting key for %s", r); */
n = kerb_get_principal("krbtgt", r, p, &more, &k5key, kvno, 1, NULL);
if (n == 0)
return (KFAILURE);
if (isflagset(p->attributes, V4_KDB_DISALLOW_ALL_TIX)) {
lt = klog(L_ERR_SEXP,
"V5 DISALLOW_ALL_TIX set: \"krbtgt\" \"%s\"", r);
krb5_free_keyblock_contents(kdc_context, &k5key);
return KFAILURE;
}
if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: \"krbtgt\" \"%s\"", r);
krb5_free_keyblock_contents(kdc_context, &k5key);
return KFAILURE;
}
if (use_3des&&!K4KDC_ENCTYPE_OK(k5key.enctype)) {
krb_set_key_krb5(kdc_context, &k5key);
strncpy(lastrealm, r, sizeof(lastrealm) - 1);
lastrealm[sizeof(lastrealm) - 1] = '\0';
last_kvno = kvno;
last_use_3des = use_3des;
} else {
/* unseal tgt key from master key */
memcpy(key, &p->key_low, 4);
memcpy(((krb5_ui_4 *) key) + 1, &p->key_high, 4);
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
krb_set_key((char *) key, 0);
strncpy(lastrealm, r, sizeof(lastrealm) - 1);
lastrealm[sizeof(lastrealm) - 1] = '\0';
last_kvno = kvno;
}
krb5_free_keyblock_contents(kdc_context, &k5key);
return (KSUCCESS);
}
static int lua_sr_isflagset (lua_State *L)
{
int flag;
int ret;
sr_lua_env_t *env_L;
env_L = sr_lua_env_get();
flag = lua_tointeger(L, -1);
if(env_L->msg==NULL)
{
LM_WARN("invalid parameters from Lua env\n");
return app_lua_return_false(L);
}
if (!flag_in_range(flag))
{
LM_ERR("invalid flag parameter %d\n", flag);
return app_lua_return_false(L);
}
ret = isflagset(env_L->msg, flag);
if(ret>0)
return app_lua_return_true(L);
return app_lua_return_false(L);
}
/*
* This function creates and submits aaa authentication request as per
* draft-sterman-aaa-sip-00.txt. In addition, _user parameter is included
* in the request as value of a SER specific attribute type SIP-URI-User,
* which can be be used as a check item in the request. Service type of
* the request is Authenticate-Only.
*/
int aaa_authorize_sterman(struct sip_msg* _msg, dig_cred_t* _cred, str* _method, str* _user)
{
aaa_message *send, *received;
uint32_t service;
str method, user, user_name;
str *ruri;
send = received = NULL;
if (!(_cred && _method && _user)) {
LM_ERR("invalid parameter value\n");
return -1;
}
method = *_method;
user = *_user;
if ((send = proto.create_aaa_message(conn, AAA_AUTH)) == NULL) {
LM_ERR("failed to create new aaa message for auth\n");
return -1;
}
/*
* Add all the user digest parameters according to the qop defined.
* Most devices tested only offer support for the simplest digest.
*/
if (_cred->username.domain.len) {
if (proto.avp_add(conn, send, &attrs[A_USER_NAME], _cred->username.whole.s, _cred->username.whole.len, 0)) {
LM_ERR("unable to add User-Name attribute\n");
goto err;
}
} else {
user_name.len = _cred->username.user.len + _cred->realm.len + 1;
user_name.s = pkg_malloc(user_name.len);
if (!user_name.s) {
LM_ERR("no pkg memory left\n");
return -3;
}
memcpy(user_name.s, _cred->username.whole.s, _cred->username.whole.len);
user_name.s[_cred->username.whole.len] = '@';
memcpy(user_name.s + _cred->username.whole.len + 1, _cred->realm.s,
_cred->realm.len);
if (proto.avp_add(conn, send, &attrs[A_USER_NAME], user_name.s,
user_name.len, 0)) {
LM_ERR("unable to add User-Name attribute\n");
pkg_free(user_name.s);
goto err;
}
pkg_free(user_name.s);
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_USER_NAME],
_cred->username.whole.s, _cred->username.whole.len, 0)) {
LM_ERR("unable to add Digest-User-Name attribute\n");
goto err;
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_REALM], _cred->realm.s,
_cred->realm.len, 0)) {
LM_ERR("unable to add Digest-Realm attribute\n");
goto err;
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_NONCE], _cred->nonce.s,
_cred->nonce.len, 0)) {
LM_ERR("unable to add Digest-Nonce attribute\n");
goto err;
}
if (use_ruri_flag < 0 || isflagset(_msg, use_ruri_flag) != 1) {
ruri = &_cred->uri;
} else {
ruri = GET_RURI(_msg);
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_URI], ruri->s,
ruri->len, 0)) {
LM_ERR("unable to add Digest-URI attribute\n");
goto err;
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_METHOD], method.s,
method.len, 0)) {
LM_ERR("unable to add Digest-Method attribute\n");
goto err;
}
/*
* Add the additional authentication fields according to the QOP.
*/
if (_cred->qop.qop_parsed == QOP_AUTH_D) {
if (proto.avp_add(conn, send, &attrs[A_DIGEST_QOP], "auth", 4, 0)) {
LM_ERR("unable to add Digest-QOP attribute\n");
goto err;
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_NONCE_COUNT],
_cred->nc.s, _cred->nc.len, 0)) {
LM_ERR("unable to add Digest-CNonce-Count attribute\n");
goto err;
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_CNONCE],
_cred->cnonce.s, _cred->cnonce.len, 0)) {
LM_ERR("unable to add Digest-CNonce attribute\n");
goto err;
}
} else if (_cred->qop.qop_parsed == QOP_AUTHINT_D) {
if (proto.avp_add(conn, send, &attrs[A_DIGEST_QOP],
"auth-int", 8, 0)) {
LM_ERR("unable to add Digest-QOP attribute\n");
goto err;
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_NONCE_COUNT],
_cred->nc.s, _cred->nc.len, 0)) {
LM_ERR("unable to add Digest-Nonce-Count attribute\n");
goto err;
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_CNONCE],
_cred->cnonce.s, _cred->cnonce.len, 0)) {
LM_ERR("unable to add Digest-CNonce attribute\n");
goto err;
}
if (proto.avp_add(conn, send, &attrs[A_DIGEST_BODY_DIGEST],
_cred->opaque.s, _cred->opaque.len, 0)) {
LM_ERR("unable to add Digest-Body-Digest attribute\n");
goto err;
}
} else {
/* send nothing for qop == "" */
}
/* Add the response... What to calculate against... */
if (proto.avp_add(conn, send, &attrs[A_DIGEST_RESPONSE],
_cred->response.s, _cred->response.len, 0)) {
LM_ERR("unable to add Digest-Response attribute\n");
goto err;
}
/* Indicate the service type, Authenticate only in our case */
service = vals[V_SIP_SESSION].value;
if (proto.avp_add(conn, send, &attrs[A_SERVICE_TYPE], &service, -1, 0)) {
LM_ERR("unable to add Service-Type attribute\n");
goto err;
}
/* Add SIP URI as a check item */
if (proto.avp_add(conn, send, &attrs[A_SIP_URI_USER], user.s,user.len,0)) {
LM_ERR("unable to add Sip-URI-User attribute\n");
goto err;
}
/* Add CALL-ID in Acct-Session-Id Attribute */
if ( _msg->callid==NULL &&
(parse_headers(_msg, HDR_CALLID_F, 0)==-1 || _msg->callid==NULL) ) {
LM_ERR("msg parsing failed or callid not present");
goto err;
}
if (proto.avp_add(conn, send, &attrs[A_ACCT_SESSION_ID],
_msg->callid->body.s, _msg->callid->body.len, 0)) {
LM_ERR("unable to add CALL-ID attribute\n");
goto err;
}
if (attrs[A_CISCO_AVPAIR].name != NULL) {
if (add_cisco_vsa(&send, _msg)) {
goto err;
}
}
/* Send request */
if (!proto.send_aaa_request(conn, send, &received)) {
LM_DBG("Success\n");
proto.destroy_aaa_message(conn, send);
proto.destroy_aaa_message(conn, received);
return 1;
} else {
#ifdef REJECT_RC
/* if (i == REJECT_RC) {
LM_DBG("Failure\n");
goto err;
}*/
#endif
LM_ERR("authorization failed\n");
}
err:
if (send)
proto.destroy_aaa_message(conn, send);
if (received)
proto.destroy_aaa_message(conn, received);
return -1;
}
/*ARGSUSED*/
krb5_error_code
process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
krb5_data **response)
{
krb5_keyblock * subkey = 0;
krb5_kdc_req *request = 0;
krb5_db_entry server;
krb5_kdc_rep reply;
krb5_enc_kdc_rep_part reply_encpart;
krb5_ticket ticket_reply, *header_ticket = 0;
int st_idx = 0;
krb5_enc_tkt_part enc_tkt_reply;
krb5_transited enc_tkt_transited;
int newtransited = 0;
krb5_error_code retval = 0;
int nprincs = 0;
krb5_boolean more;
krb5_timestamp kdc_time, authtime=0;
krb5_keyblock session_key;
krb5_timestamp until, rtime;
krb5_keyblock encrypting_key;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *tmp = 0;
const char *fromstring = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
/* krb5_address *noaddrarray[1]; */
krb5_enctype useenctype;
int errcode, errcode2;
register int i;
int firstpass = 1;
const char *status = 0;
char ktypestr[128];
char rep_etypestr[128];
char fromstringbuf[70];
session_key.contents = 0;
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
if (request->msg_type != KRB5_TGS_REQ)
return KRB5_BADMSGTYPE;
ktypes2str(ktypestr, sizeof(ktypestr),
request->nktypes, request->ktype);
/*
* setup_server_realm() sets up the global realm-specific data pointer.
*/
if ((retval = setup_server_realm(request->server))) {
krb5_free_kdc_req(kdc_context, request);
return retval;
}
fromstring = inet_ntop(ADDRTYPE2FAMILY(from->address->addrtype),
from->address->contents,
fromstringbuf, sizeof(fromstringbuf));
if (!fromstring)
fromstring = "<unknown>";
if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
status = "UNPARSING SERVER";
goto cleanup;
}
limit_string(sname);
/* errcode = kdc_process_tgs_req(request, from, pkt, &req_authdat); */
errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket, &subkey);
if (header_ticket && header_ticket->enc_part2 &&
(errcode2 = krb5_unparse_name(kdc_context,
header_ticket->enc_part2->client,
&cname))) {
status = "UNPARSING CLIENT";
errcode = errcode2;
goto cleanup;
}
limit_string(cname);
if (errcode) {
status = "PROCESS_TGS";
goto cleanup;
}
if (!header_ticket) {
errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
status="UNEXPECTED NULL in header_ticket";
goto cleanup;
}
/*
* We've already dealt with the AP_REQ authentication, so we can
* use header_ticket freely. The encrypted part (if any) has been
* decrypted with the session key.
*/
authtime = header_ticket->enc_part2->times.authtime;
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
nprincs = 1;
if ((errcode = get_principal(kdc_context, request->server, &server,
&nprincs, &more))) {
status = "LOOKING_UP_SERVER";
nprincs = 0;
goto cleanup;
}
tgt_again:
if (more) {
status = "NON_UNIQUE_PRINCIPAL";
errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
goto cleanup;
} else if (nprincs != 1) {
/*
* might be a request for a TGT for some other realm; we
* should do our best to find such a TGS in this db
*/
if (firstpass && krb5_is_tgs_principal(request->server) == TRUE) {
if (krb5_princ_size(kdc_context, request->server) == 2) {
krb5_data *server_1 =
krb5_princ_component(kdc_context, request->server, 1);
krb5_data *tgs_1 =
krb5_princ_component(kdc_context, tgs_server, 1);
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
krb5_db_free_principal(kdc_context, &server, nprincs);
find_alternate_tgs(request, &server, &more, &nprincs);
firstpass = 0;
goto tgt_again;
}
}
}
krb5_db_free_principal(kdc_context, &server, nprincs);
status = "UNKNOWN_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
}
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
status = "TIME_OF_DAY";
goto cleanup;
}
if ((retval = validate_tgs_request(request, server, header_ticket,
kdc_time, &status))) {
if (!status)
status = "UNKNOWN_REASON";
errcode = retval + ERROR_TABLE_BASE_krb5;
goto cleanup;
}
/*
* We pick the session keytype here....
*
* Some special care needs to be taken in the user-to-user
* case, since we don't know what keytypes the application server
* which is doing user-to-user authentication can support. We
* know that it at least must be able to support the encryption
* type of the session key in the TGT, since otherwise it won't be
* able to decrypt the U2U ticket! So we use that in preference
* to anything else.
*/
useenctype = 0;
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
krb5_keyblock * st_sealing_key;
krb5_kvno st_srv_kvno;
krb5_enctype etype;
/*
* Get the key for the second ticket, and decrypt it.
*/
if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
&st_sealing_key,
&st_srv_kvno))) {
status = "2ND_TKT_SERVER";
goto cleanup;
}
errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key,
request->second_ticket[st_idx]);
krb5_free_keyblock(kdc_context, st_sealing_key);
if (errcode) {
status = "2ND_TKT_DECRYPT";
goto cleanup;
}
etype = request->second_ticket[st_idx]->enc_part2->session->enctype;
if (!krb5_c_valid_enctype(etype)) {
status = "BAD_ETYPE_IN_2ND_TKT";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto cleanup;
}
for (i = 0; i < request->nktypes; i++) {
if (request->ktype[i] == etype) {
useenctype = etype;
break;
}
}
}
/*
* Select the keytype for the ticket session key.
*/
if ((useenctype == 0) &&
(useenctype = select_session_keytype(kdc_context, &server,
request->nktypes,
request->ktype)) == 0) {
/* unsupported ktype */
status = "BAD_ENCRYPTION_TYPE";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto cleanup;
}
errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key);
if (errcode) {
/* random key failed */
status = "RANDOM_KEY_FAILED";
goto cleanup;
}
ticket_reply.server = request->server; /* XXX careful for realm... */
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
/*
* Fix header_ticket's starttime; if it's zero, fill in the
* authtime's value.
*/
if (!(header_ticket->enc_part2->times.starttime))
header_ticket->enc_part2->times.starttime =
header_ticket->enc_part2->times.authtime;
/* don't use new addresses unless forwarded, see below */
enc_tkt_reply.caddrs = header_ticket->enc_part2->caddrs;
/* noaddrarray[0] = 0; */
reply_encpart.caddrs = 0; /* optional...don't put it in */
/* It should be noted that local policy may affect the */
/* processing of any of these flags. For example, some */
/* realms may refuse to issue renewable tickets */
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE))
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_FORWARDED))
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
if (isflagset(request->kdc_options, KDC_OPT_PROXY)) {
setflag(enc_tkt_reply.flags, TKT_FLG_PROXY);
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
enc_tkt_reply.times.starttime = request->from;
} else
enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
enc_tkt_reply.authorization_data = NULL;
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
krb5_deltat old_life;
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
enc_tkt_reply.authorization_data = NULL;
old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
enc_tkt_reply.times.starttime = kdc_time;
enc_tkt_reply.times.endtime =
min(header_ticket->enc_part2->times.renew_till,
kdc_time + old_life);
} else {
/* not a renew request */
enc_tkt_reply.times.starttime = kdc_time;
until = (request->till == 0) ? kdc_infinity : request->till;
enc_tkt_reply.times.endtime =
min(until, min(enc_tkt_reply.times.starttime + server.max_life,
min(enc_tkt_reply.times.starttime + max_life_for_realm,
header_ticket->enc_part2->times.endtime)));
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
(enc_tkt_reply.times.endtime < request->till) &&
isflagset(header_ticket->enc_part2->flags,
TKT_FLG_RENEWABLE)) {
setflag(request->kdc_options, KDC_OPT_RENEWABLE);
request->rtime =
min(request->till,
header_ticket->enc_part2->times.renew_till);
}
}
rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) {
/* already checked above in policy check to reject request for a
renewable ticket using a non-renewable ticket */
setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
enc_tkt_reply.times.renew_till =
min(rtime,
min(header_ticket->enc_part2->times.renew_till,
enc_tkt_reply.times.starttime +
min(server.max_renewable_life,
max_renewable_life_for_realm)));
} else {
enc_tkt_reply.times.renew_till = 0;
}
/*
* Set authtime to be the same as header_ticket's
*/
enc_tkt_reply.times.authtime = header_ticket->enc_part2->times.authtime;
/*
* Propagate the preauthentication flags through to the returned ticket.
*/
if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_PRE_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH);
if (isflagset(header_ticket->enc_part2->flags, TKT_FLG_HW_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH);
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
/* assemble any authorization data */
if (request->authorization_data.ciphertext.data) {
krb5_data scratch;
scratch.length = request->authorization_data.ciphertext.length;
if (!(scratch.data =
malloc(request->authorization_data.ciphertext.length))) {
status = "AUTH_NOMEM";
errcode = ENOMEM;
goto cleanup;
}
if ((errcode = krb5_c_decrypt(kdc_context,
header_ticket->enc_part2->session,
KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY,
0, &request->authorization_data,
&scratch))) {
status = "AUTH_ENCRYPT_FAIL";
free(scratch.data);
goto cleanup;
}
/* scratch now has the authorization data, so we decode it */
errcode = decode_krb5_authdata(&scratch, &(request->unenc_authdata));
free(scratch.data);
if (errcode) {
status = "AUTH_DECODE";
goto cleanup;
}
if ((errcode =
concat_authorization_data(request->unenc_authdata,
header_ticket->enc_part2->authorization_data,
&enc_tkt_reply.authorization_data))) {
status = "CONCAT_AUTH";
goto cleanup;
}
} else
enc_tkt_reply.authorization_data =
header_ticket->enc_part2->authorization_data;
enc_tkt_reply.session = &session_key;
enc_tkt_reply.client = header_ticket->enc_part2->client;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
/*
* Only add the realm of the presented tgt to the transited list if
* it is different than the local realm (cross-realm) and it is different
* than the realm of the client (since the realm of the client is already
* implicitly part of the transited list and should not be explicitly
* listed).
*/
/* realm compare is like strcmp, but knows how to deal with these args */
if (realm_compare(header_ticket->server, tgs_server) ||
realm_compare(header_ticket->server, enc_tkt_reply.client)) {
/* tgt issued by local realm or issued by realm of client */
enc_tkt_reply.transited = header_ticket->enc_part2->transited;
} else {
/* tgt issued by some other realm and not the realm of the client */
/* assemble new transited field into allocated storage */
if (header_ticket->enc_part2->transited.tr_type !=
KRB5_DOMAIN_X500_COMPRESS) {
status = "BAD_TRTYPE";
errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
goto cleanup;
}
enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_transited.magic = 0;
enc_tkt_transited.tr_contents.magic = 0;
enc_tkt_transited.tr_contents.data = 0;
enc_tkt_transited.tr_contents.length = 0;
enc_tkt_reply.transited = enc_tkt_transited;
if ((errcode =
add_to_transited(&header_ticket->enc_part2->transited.tr_contents,
&enc_tkt_reply.transited.tr_contents,
header_ticket->server,
enc_tkt_reply.client,
request->server))) {
status = "ADD_TR_FAIL";
goto cleanup;
}
newtransited = 1;
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
unsigned int tlen;
char *tdots;
errcode = krb5_check_transited_list (kdc_context,
&enc_tkt_reply.transited.tr_contents,
krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
krb5_princ_realm (kdc_context, request->server));
tlen = enc_tkt_reply.transited.tr_contents.length;
tdots = tlen > 125 ? "..." : "";
tlen = tlen > 125 ? 125 : tlen;
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
krb5_klog_syslog (LOG_INFO,
"bad realm transit path from '%s' to '%s' "
"via '%.*s%s'",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
tlen,
enc_tkt_reply.transited.tr_contents.data,
tdots);
else {
const char *emsg = krb5_get_error_message(kdc_context, errcode);
krb5_klog_syslog (LOG_ERR,
"unexpected error checking transit from "
"'%s' to '%s' via '%.*s%s': %s",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
tlen,
enc_tkt_reply.transited.tr_contents.data,
tdots, emsg);
krb5_free_error_message(kdc_context, emsg);
}
} else
krb5_klog_syslog (LOG_INFO, "not checking transit path");
if (reject_bad_transit
&& !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
errcode = KRB5KDC_ERR_POLICY;
status = "BAD_TRANSIT";
goto cleanup;
}
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
* If we are doing user-to-user authentication, then make sure
* that the client for the second ticket matches the request
* server, and then encrypt the ticket using the session key of
* the second ticket.
*/
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
/*
* Make sure the client for the second ticket matches
* requested server.
*/
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
krb5_principal client2 = t2enc->client;
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
tmp = 0;
if (tmp != NULL)
limit_string(tmp);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ %s: 2ND_TKT_MISMATCH: "
"authtime %d, %s for %s, 2nd tkt client %s",
fromstring, authtime,
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
tmp ? tmp : "<unknown>");
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
goto cleanup;
}
ticket_reply.enc_part.kvno = 0;
ticket_reply.enc_part.enctype = t2enc->session->enctype;
if ((errcode = krb5_encrypt_tkt_part(kdc_context, t2enc->session,
&ticket_reply))) {
status = "2ND_TKT_ENCRYPT";
goto cleanup;
}
st_idx++;
} else {
/*
* Find the server key
*/
if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
-1, /* ignore keytype */
-1, /* Ignore salttype */
0, /* Get highest kvno */
&server_key))) {
status = "FINDING_SERVER_KEY";
goto cleanup;
}
/* convert server.key into a real key (it may be encrypted
* in the database) */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
&master_keyblock,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
goto cleanup;
}
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
&ticket_reply);
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (errcode) {
status = "TKT_ENCRYPT";
goto cleanup;
}
ticket_reply.enc_part.kvno = server_key->key_data_kvno;
}
/* Start assembling the response */
reply.msg_type = KRB5_TGS_REP;
reply.padata = 0; /* always */
reply.client = header_ticket->enc_part2->client;
reply.enc_part.kvno = 0; /* We are using the session key */
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
reply_encpart.nonce = request->nonce;
/* copy the time fields EXCEPT for authtime; its location
is used for ktime */
reply_encpart.times = enc_tkt_reply.times;
reply_encpart.times.authtime = header_ticket->enc_part2->times.authtime;
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
nolrentry.lr_type = KRB5_LRQ_NONE;
nolrentry.value = 0;
nolrarray[0] = &nolrentry;
nolrarray[1] = 0;
reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
reply_encpart.key_exp = 0; /* ditto */
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
/* use the session key in the ticket, unless there's a subsession key
in the AP_REQ */
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
subkey ? 1 : 0,
subkey ? subkey :
header_ticket->enc_part2->session,
&reply, response);
if (errcode) {
status = "ENCODE_KDC_REP";
} else {
status = "ISSUE";
}
memset(ticket_reply.enc_part.ciphertext.data, 0,
ticket_reply.enc_part.ciphertext.length);
free(ticket_reply.enc_part.ciphertext.data);
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
memset(reply.enc_part.ciphertext.data, 0,
reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
cleanup:
if (status) {
const char * emsg = NULL;
if (!errcode)
rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply);
if (errcode)
emsg = krb5_get_error_message (kdc_context, errcode);
krb5_klog_syslog(LOG_INFO,
"TGS_REQ (%s) %s: %s: authtime %d, "
"%s%s %s for %s%s%s",
ktypestr,
fromstring, status, authtime,
!errcode ? rep_etypestr : "",
!errcode ? "," : "",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
errcode ? ", " : "",
errcode ? emsg : "");
if (errcode)
krb5_free_error_message (kdc_context, emsg);
}
if (errcode) {
int got_err = 0;
if (status == 0) {
status = krb5_get_error_message (kdc_context, errcode);
got_err = 1;
}
errcode -= ERROR_TABLE_BASE_krb5;
if (errcode < 0 || errcode > 128)
errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(request, header_ticket, errcode,
fromstring, response, status);
if (got_err) {
krb5_free_error_message (kdc_context, status);
status = 0;
}
}
if (header_ticket)
krb5_free_ticket(kdc_context, header_ticket);
if (request)
krb5_free_kdc_req(kdc_context, request);
if (cname)
free(cname);
if (sname)
free(sname);
if (nprincs)
krb5_db_free_principal(kdc_context, &server, 1);
if (session_key.contents)
krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
if (subkey)
krb5_free_keyblock(kdc_context, subkey);
return retval;
}
/*
* This function creates and submits radius authentication request as per
* draft-sterman-aaa-sip-00.txt. In addition, _user parameter is included
* in the request as value of a SER specific attribute type SIP-URI-User,
* which can be be used as a check item in the request. Service type of
* the request is Authenticate-Only.
*/
int radius_authorize_sterman(VALUE_PAIR** received, struct sip_msg* _msg, dig_cred_t* _cred, str* _method, str* _user)
{
static char msg[4096];
VALUE_PAIR *send;
UINT4 service, ser_service_type;
str method, user, user_name;
str *ruri;
int i;
send = 0;
if (!(_cred && _method && _user)) {
LOG(L_ERR, "radius_authorize_sterman(): Invalid parameter value\n");
return -1;
}
method = *_method;
user = *_user;
/*
* Add all the user digest parameters according to the qop defined.
* Most devices tested only offer support for the simplest digest.
*/
if (_cred->username.domain.len) {
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_USER_NAME].v),
_cred->username.whole.s, _cred->username.whole.len,
VENDOR(attrs[A_USER_NAME].v))) {
LOG(L_ERR, "radius_authorize_sterman(): Unable to add User-Name attribute\n");
goto err;
}
} else {
user_name.len = _cred->username.user.len + _cred->realm.len + 1;
user_name.s = pkg_malloc(user_name.len);
if (!user_name.s) {
LOG(L_ERR, "radius_authorize_sterman(): No memory left\n");
return -3;
}
memcpy(user_name.s, _cred->username.whole.s, _cred->username.whole.len);
user_name.s[_cred->username.whole.len] = '@';
memcpy(user_name.s + _cred->username.whole.len + 1, _cred->realm.s, _cred->realm.len);
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_USER_NAME].v),
user_name.s, user_name.len,
VENDOR(attrs[A_USER_NAME].v))) {
LOG(L_ERR, "sterman(): Unable to add User-Name attribute\n");
pkg_free(user_name.s);
goto err;
}
pkg_free(user_name.s);
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_USER_NAME].v),
_cred->username.whole.s, _cred->username.whole.len,
VENDOR(attrs[A_DIGEST_USER_NAME].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-User-Name attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_REALM].v),
_cred->realm.s, _cred->realm.len,
VENDOR(attrs[A_DIGEST_REALM].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-Realm attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_NONCE].v),
_cred->nonce.s, _cred->nonce.len,
VENDOR(attrs[A_DIGEST_NONCE].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-Nonce attribute\n");
goto err;
}
if (use_ruri_flag < 0 || isflagset(_msg, use_ruri_flag) != 1) {
ruri = &_cred->uri;
} else {
ruri = GET_RURI(_msg);
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_URI].v),
ruri->s, ruri->len,
VENDOR(attrs[A_DIGEST_URI].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-URI attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_METHOD].v),
method.s, method.len,
VENDOR(attrs[A_DIGEST_METHOD].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-Method attribute\n");
goto err;
}
/*
* Add the additional authentication fields according to the QOP.
*/
if (_cred->qop.qop_parsed == QOP_AUTH) {
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_QOP].v), "auth", 4,
VENDOR(attrs[A_DIGEST_QOP].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-QOP attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_NONCE_COUNT].v),
_cred->nc.s, _cred->nc.len,
VENDOR(attrs[A_DIGEST_NONCE_COUNT].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-CNonce-Count attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_CNONCE].v),
_cred->cnonce.s, _cred->cnonce.len,
VENDOR(attrs[A_DIGEST_CNONCE].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-CNonce attribute\n");
goto err;
}
} else if (_cred->qop.qop_parsed == QOP_AUTHINT) {
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_QOP].v), "auth-int", 8,
VENDOR(attrs[A_DIGEST_QOP].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-QOP attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_NONCE_COUNT].v),
_cred->nc.s, _cred->nc.len,
VENDOR(attrs[A_DIGEST_NONCE_COUNT].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-Nonce-Count attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_CNONCE].v),
_cred->cnonce.s, _cred->cnonce.len,
VENDOR(attrs[A_DIGEST_CNONCE].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-CNonce attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_BODY_DIGEST].v),
_cred->opaque.s, _cred->opaque.len,
VENDOR(attrs[A_DIGEST_BODY_DIGEST].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-Body-Digest attribute\n");
goto err;
}
} else {
/* send nothing for qop == "" */
}
/* Add the response... What to calculate against... */
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_DIGEST_RESPONSE].v),
_cred->response.s, _cred->response.len,
VENDOR(attrs[A_DIGEST_RESPONSE].v))) {
LOG(L_ERR, "sterman(): Unable to add Digest-Response attribute\n");
goto err;
}
/* Indicate the service type, Authenticate only in our case */
service = vals[V_SIP_SESSION].v;
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_SERVICE_TYPE].v),
&service, -1,
VENDOR(attrs[A_SERVICE_TYPE].v))) {
LOG(L_ERR, "sterman(): Unable to add Service-Type attribute\n");
goto err;
}
/* Indicate the service type, Authenticate only in our case */
ser_service_type = vals[V_DIGEST_AUTHENTICATION].v;
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_SER_SERVICE_TYPE].v),
&ser_service_type, -1,
VENDOR(attrs[A_SER_SERVICE_TYPE].v))) {
LOG(L_ERR, "sterman(): Unable to add SER-Service-Type attribute\n");
goto err;
}
/* Add SIP URI as a check item */
if (!rc_avpair_add(rh, &send, ATTRID(attrs[A_SER_URI_USER].v),
user.s, user.len,
VENDOR(attrs[A_SER_URI_USER].v))) {
LOG(L_ERR, "sterman(): Unable to add Sip-URI-User attribute\n");
goto err;
}
if (attrs[A_CISCO_AVPAIR].n != NULL) {
if (add_cisco_vsa(&send, _msg)) {
goto err;
}
}
/* Send request */
if ((i = rc_auth(rh, SIP_PORT, send, received, msg)) == OK_RC) {
DBG("radius_authorize_sterman(): Success\n");
rc_avpair_free(send);
send = 0;
return 1;
} else {
DBG("radius_authorize_sterman(): Failure\n");
goto err;
}
err:
if (send) rc_avpair_free(send);
return -1;
}
static krb5_int32
prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
{
krb5_error_code retval = KRB5KRB_AP_ERR_BADMATCH;
size_t len = 0;
char **realms, **cpp, *temp_buf=NULL;
krb5_data *comp1 = NULL, *comp2 = NULL;
char *comp1_str = NULL;
/* By now we know that server principal name is unknown.
* If CANONICALIZE flag is set in the request
* If req is not U2U authn. req
* the requested server princ. has exactly two components
* either
* the name type is NT-SRV-HST
* or name type is NT-UNKNOWN and
* the 1st component is listed in conf file under host_based_services
* the 1st component is not in a list in conf under "no_host_referral"
* the 2d component looks like fully-qualified domain name (FQDN)
* If all of these conditions are satisfied - try mapping the FQDN and
* re-process the request as if client had asked for cross-realm TGT.
*/
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) &&
!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) &&
krb5_princ_size(kdc_context, request->server) == 2) {
comp1 = krb5_princ_component(kdc_context, request->server, 0);
comp2 = krb5_princ_component(kdc_context, request->server, 1);
comp1_str = calloc(1,comp1->length+1);
if (!comp1_str) {
retval = ENOMEM;
goto cleanup;
}
strlcpy(comp1_str,comp1->data,comp1->length+1);
if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
(krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
kdc_active_realm->realm_host_based_services != NULL &&
(krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, comp1_str) == TRUE ||
krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, KRB5_CONF_ASTERISK) == TRUE))) &&
(kdc_active_realm->realm_no_host_referral == NULL ||
(krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, KRB5_CONF_ASTERISK) == FALSE &&
krb5_match_config_pattern(kdc_active_realm->realm_no_host_referral, comp1_str) == FALSE))) {
for (len=0; len < comp2->length; len++) {
if (comp2->data[len] == '.') break;
}
if (len == comp2->length)
goto cleanup;
temp_buf = calloc(1, comp2->length+1);
if (!temp_buf){
retval = ENOMEM;
goto cleanup;
}
strlcpy(temp_buf, comp2->data,comp2->length+1);
retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
free(temp_buf);
if (retval) {
/* no match found */
kdc_err(kdc_context, retval, 0);
goto cleanup;
}
if (realms == 0) {
retval = KRB5KRB_AP_ERR_BADMATCH;
goto cleanup;
}
if (realms[0] == 0) {
free(realms);
retval = KRB5KRB_AP_ERR_BADMATCH;
goto cleanup;
}
/* Modify request.
* Construct cross-realm tgt : krbtgt/REMOTE_REALM@LOCAL_REALM
* and use it as a principal in this req.
*/
retval = krb5_build_principal(kdc_context, krbtgt_princ,
(*request->server).realm.length,
(*request->server).realm.data,
"krbtgt", realms[0], (char *)0);
for (cpp = realms; *cpp; cpp++)
free(*cpp);
}
}
cleanup:
free(comp1_str);
return retval;
}
/*ARGSUSED*/
krb5_error_code
process_tgs_req(struct server_handle *handle, krb5_data *pkt,
const krb5_fulladdr *from, krb5_data **response)
{
krb5_keyblock * subkey = 0;
krb5_keyblock *header_key = NULL;
krb5_kdc_req *request = 0;
krb5_db_entry *server = NULL;
krb5_db_entry *stkt_server = NULL;
krb5_kdc_rep reply;
krb5_enc_kdc_rep_part reply_encpart;
krb5_ticket ticket_reply, *header_ticket = 0;
int st_idx = 0;
krb5_enc_tkt_part enc_tkt_reply;
int newtransited = 0;
krb5_error_code retval = 0;
krb5_keyblock encrypting_key;
krb5_timestamp kdc_time, authtime = 0;
krb5_keyblock session_key;
krb5_keyblock *reply_key = NULL;
krb5_key_data *server_key;
krb5_principal cprinc = NULL, sprinc = NULL, altcprinc = NULL;
krb5_last_req_entry *nolrarray[2], nolrentry;
int errcode;
const char *status = 0;
krb5_enc_tkt_part *header_enc_tkt = NULL; /* TGT */
krb5_enc_tkt_part *subject_tkt = NULL; /* TGT or evidence ticket */
krb5_db_entry *client = NULL, *header_server = NULL;
krb5_db_entry *local_tgt, *local_tgt_storage = NULL;
krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
krb5_boolean is_referral;
const char *emsg = NULL;
krb5_kvno ticket_kvno = 0;
struct kdc_request_state *state = NULL;
krb5_pa_data *pa_tgs_req; /*points into request*/
krb5_data scratch;
krb5_pa_data **e_data = NULL;
kdc_realm_t *kdc_active_realm = NULL;
krb5_audit_state *au_state = NULL;
krb5_data **auth_indicators = NULL;
memset(&reply, 0, sizeof(reply));
memset(&reply_encpart, 0, sizeof(reply_encpart));
memset(&ticket_reply, 0, sizeof(ticket_reply));
memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
session_key.contents = NULL;
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
/* Save pointer to client-requested service principal, in case of
* errors before a successful call to search_sprinc(). */
sprinc = request->server;
if (request->msg_type != KRB5_TGS_REQ) {
krb5_free_kdc_req(handle->kdc_err_context, request);
return KRB5_BADMSGTYPE;
}
/*
* setup_server_realm() sets up the global realm-specific data pointer.
*/
kdc_active_realm = setup_server_realm(handle, request->server);
if (kdc_active_realm == NULL) {
krb5_free_kdc_req(handle->kdc_err_context, request);
return KRB5KDC_ERR_WRONG_REALM;
}
errcode = kdc_make_rstate(kdc_active_realm, &state);
if (errcode !=0) {
krb5_free_kdc_req(handle->kdc_err_context, request);
return errcode;
}
/* Initialize audit state. */
errcode = kau_init_kdc_req(kdc_context, request, from, &au_state);
if (errcode) {
krb5_free_kdc_req(handle->kdc_err_context, request);
return errcode;
}
/* Seed the audit trail with the request ID and basic information. */
kau_tgs_req(kdc_context, TRUE, au_state);
errcode = kdc_process_tgs_req(kdc_active_realm,
request, from, pkt, &header_ticket,
&header_server, &header_key, &subkey,
&pa_tgs_req);
if (header_ticket && header_ticket->enc_part2)
cprinc = header_ticket->enc_part2->client;
if (errcode) {
status = "PROCESS_TGS";
goto cleanup;
}
if (!header_ticket) {
errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
status="UNEXPECTED NULL in header_ticket";
goto cleanup;
}
errcode = kau_make_tkt_id(kdc_context, header_ticket,
&au_state->tkt_in_id);
if (errcode) {
status = "GENERATE_TICKET_ID";
goto cleanup;
}
scratch.length = pa_tgs_req->length;
scratch.data = (char *) pa_tgs_req->contents;
errcode = kdc_find_fast(&request, &scratch, subkey,
header_ticket->enc_part2->session, state, NULL);
/* Reset sprinc because kdc_find_fast() can replace request. */
sprinc = request->server;
if (errcode !=0) {
status = "FIND_FAST";
goto cleanup;
}
errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
&local_tgt, &local_tgt_storage);
if (errcode) {
status = "GET_LOCAL_TGT";
goto cleanup;
}
/* Ignore (for now) the request modification due to FAST processing. */
au_state->request = request;
/*
* Pointer to the encrypted part of the header ticket, which may be
* replaced to point to the encrypted part of the evidence ticket
* if constrained delegation is used. This simplifies the number of
* special cases for constrained delegation.
*/
header_enc_tkt = header_ticket->enc_part2;
/*
* We've already dealt with the AP_REQ authentication, so we can
* use header_ticket freely. The encrypted part (if any) has been
* decrypted with the session key.
*/
au_state->stage = SRVC_PRINC;
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
errcode = search_sprinc(kdc_active_realm, request, s_flags, &server,
&status);
if (errcode != 0)
goto cleanup;
sprinc = server->princ;
/* If we got a cross-realm TGS which is not the requested server, we are
* issuing a referral (or alternate TGT, which we treat similarly). */
is_referral = is_cross_tgs_principal(server->princ) &&
!krb5_principal_compare(kdc_context, request->server, server->princ);
au_state->stage = VALIDATE_POL;
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
status = "TIME_OF_DAY";
goto cleanup;
}
if ((retval = validate_tgs_request(kdc_active_realm,
request, *server, header_ticket,
kdc_time, &status, &e_data))) {
if (!status)
status = "UNKNOWN_REASON";
if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
errcode = retval + ERROR_TABLE_BASE_krb5;
goto cleanup;
}
if (!is_local_principal(kdc_active_realm, header_enc_tkt->client))
setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
/* Check for protocol transition */
errcode = kdc_process_s4u2self_req(kdc_active_realm,
request,
header_enc_tkt->client,
server,
subkey,
header_enc_tkt->session,
kdc_time,
&s4u_x509_user,
&client,
&status);
if (s4u_x509_user != NULL || errcode != 0) {
if (s4u_x509_user != NULL)
au_state->s4u2self_user = s4u_x509_user->user_id.user;
if (errcode == KDC_ERR_POLICY || errcode == KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
au_state->status = status;
kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
au_state->s4u2self_user = NULL;
}
if (errcode)
goto cleanup;
if (s4u_x509_user != NULL) {
setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
if (is_referral) {
/* The requesting server appears to no longer exist, and we found
* a referral instead. Treat this as a server lookup failure. */
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
status = "LOOKING_UP_SERVER";
goto cleanup;
}
}
/* Deal with user-to-user and constrained delegation */
errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags,
&stkt_server, &status);
if (errcode)
goto cleanup;
if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
/* Do constrained delegation protocol and authorization checks */
errcode = kdc_process_s4u2proxy_req(kdc_active_realm,
request,
request->second_ticket[st_idx]->enc_part2,
stkt_server,
header_ticket->enc_part2->client,
request->server,
&status);
if (errcode == KDC_ERR_POLICY || errcode == KDC_ERR_BADOPTION)
au_state->violation = PROT_CONSTRAINT;
else if (errcode)
au_state->violation = LOCAL_POLICY;
au_state->status = status;
retval = kau_make_tkt_id(kdc_context, request->second_ticket[st_idx],
&au_state->evid_tkt_id);
if (retval) {
status = "GENERATE_TICKET_ID";
errcode = retval;
goto cleanup;
}
kau_s4u2proxy(kdc_context, errcode ? FALSE : TRUE, au_state);
if (errcode)
goto cleanup;
setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
assert(krb5_is_tgs_principal(header_ticket->server));
assert(client == NULL); /* assured by kdc_process_s4u2self_req() */
client = stkt_server;
stkt_server = NULL;
} else if (request->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY) {
krb5_db_free_principal(kdc_context, stkt_server);
stkt_server = NULL;
} else
assert(stkt_server == NULL);
au_state->stage = ISSUE_TKT;
errcode = gen_session_key(kdc_active_realm, request, server, &session_key,
&status);
if (errcode)
goto cleanup;
/*
* subject_tkt will refer to the evidence ticket (for constrained
* delegation) or the TGT. The distinction from header_enc_tkt is
* necessary because the TGS signature only protects some fields:
* the others could be forged by a malicious server.
*/
if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION))
subject_tkt = request->second_ticket[st_idx]->enc_part2;
else
subject_tkt = header_enc_tkt;
authtime = subject_tkt->times.authtime;
/* Extract auth indicators from the subject ticket, except for S4U2Proxy
* requests (where the client didn't authenticate). */
if (s4u_x509_user == NULL) {
errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
&auth_indicators);
if (errcode) {
status = "GET_AUTH_INDICATORS";
goto cleanup;
}
}
errcode = check_indicators(kdc_context, server, auth_indicators);
if (errcode) {
status = "HIGHER_AUTHENTICATION_REQUIRED";
goto cleanup;
}
if (is_referral)
ticket_reply.server = server->princ;
else
ticket_reply.server = request->server; /* XXX careful for realm... */
enc_tkt_reply.flags = OPTS2FLAGS(request->kdc_options);
enc_tkt_reply.flags |= COPY_TKT_FLAGS(header_enc_tkt->flags);
enc_tkt_reply.times.starttime = 0;
if (isflagset(server->attributes, KRB5_KDB_OK_AS_DELEGATE))
setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
/* Indicate support for encrypted padata (RFC 6806). */
setflag(enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
/* don't use new addresses unless forwarded, see below */
enc_tkt_reply.caddrs = header_enc_tkt->caddrs;
/* noaddrarray[0] = 0; */
reply_encpart.caddrs = 0;/* optional...don't put it in */
reply_encpart.enc_padata = NULL;
/*
* It should be noted that local policy may affect the
* processing of any of these flags. For example, some
* realms may refuse to issue renewable tickets
*/
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
/*
* If S4U2Self principal is not forwardable, then mark ticket as
* unforwardable. This behaviour matches Windows, but it is
* different to the MIT AS-REQ path, which returns an error
* (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
*
* Consider this block the S4U2Self equivalent to
* validate_forwardable().
*/
if (client != NULL &&
isflagset(client->attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/*
* Forwardable flag is propagated along referral path.
*/
else if (!isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/*
* OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
* S4U2Self in order for forwardable tickets to be returned.
*/
else if (!is_referral &&
!isflagset(server->attributes,
KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
}
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED) ||
isflagset(request->kdc_options, KDC_OPT_PROXY)) {
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
/* We don't currently handle issuing anonymous tickets based on
* non-anonymous ones, so just ignore the option. */
if (isflagset(request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS) &&
!isflagset(header_enc_tkt->flags, TKT_FLG_ANONYMOUS))
clear(enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
enc_tkt_reply.times.starttime = request->from;
} else
enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
enc_tkt_reply.authorization_data = NULL;
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
krb5_timestamp old_starttime;
krb5_deltat old_life;
assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
enc_tkt_reply.authorization_data = NULL;
old_starttime = enc_tkt_reply.times.starttime ?
enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime;
old_life = enc_tkt_reply.times.endtime - old_starttime;
enc_tkt_reply.times.starttime = kdc_time;
enc_tkt_reply.times.endtime =
min(header_ticket->enc_part2->times.renew_till,
kdc_time + old_life);
} else {
/* not a renew request */
enc_tkt_reply.times.starttime = kdc_time;
kdc_get_ticket_endtime(kdc_active_realm, enc_tkt_reply.times.starttime,
header_enc_tkt->times.endtime, request->till,
client, server, &enc_tkt_reply.times.endtime);
}
kdc_get_ticket_renewtime(kdc_active_realm, request, header_enc_tkt, client,
server, &enc_tkt_reply);
/*
* Set authtime to be the same as header or evidence ticket's
*/
enc_tkt_reply.times.authtime = authtime;
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
altcprinc = s4u_x509_user->user_id.user;
} else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
altcprinc = subject_tkt->client;
} else {
altcprinc = NULL;
}
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
encrypting_key = *(t2enc->session);
} else {
/*
* Find the server key
*/
if ((errcode = krb5_dbe_find_enctype(kdc_context, server,
-1, /* ignore keytype */
-1, /* Ignore salttype */
0, /* Get highest kvno */
&server_key))) {
status = "FINDING_SERVER_KEY";
goto cleanup;
}
/*
* Convert server.key into a real key
* (it may be encrypted in the database)
*/
if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
goto cleanup;
}
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
/*
* Don't allow authorization data to be disabled if constrained
* delegation is requested. We don't want to deny the server
* the ability to validate that delegation was used.
*/
clear(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
}
if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
/*
* If we are not doing protocol transition/constrained delegation
* try to lookup the client principal so plugins can add additional
* authorization information.
*
* Always validate authorization data for constrained delegation
* because we must validate the KDC signatures.
*/
if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U)) {
/* Generate authorization data so we can include it in ticket */
setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
/* Map principals from foreign (possibly non-AD) realms */
setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
assert(client == NULL); /* should not have been set already */
errcode = krb5_db_get_principal(kdc_context, subject_tkt->client,
c_flags, &client);
}
}
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
enc_tkt_reply.client = s4u_x509_user->user_id.user;
else
enc_tkt_reply.client = subject_tkt->client;
enc_tkt_reply.session = &session_key;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
/*
* Only add the realm of the presented tgt to the transited list if
* it is different than the local realm (cross-realm) and it is different
* than the realm of the client (since the realm of the client is already
* implicitly part of the transited list and should not be explicitly
* listed).
*/
/* realm compare is like strcmp, but knows how to deal with these args */
if (krb5_realm_compare(kdc_context, header_ticket->server, tgs_server) ||
krb5_realm_compare(kdc_context, header_ticket->server,
enc_tkt_reply.client)) {
/* tgt issued by local realm or issued by realm of client */
enc_tkt_reply.transited = header_enc_tkt->transited;
} else {
/* tgt issued by some other realm and not the realm of the client */
/* assemble new transited field into allocated storage */
if (header_enc_tkt->transited.tr_type !=
KRB5_DOMAIN_X500_COMPRESS) {
status = "VALIDATE_TRANSIT_TYPE";
errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
goto cleanup;
}
memset(&enc_tkt_reply.transited, 0, sizeof(enc_tkt_reply.transited));
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
if ((errcode =
add_to_transited(&header_enc_tkt->transited.tr_contents,
&enc_tkt_reply.transited.tr_contents,
header_ticket->server,
enc_tkt_reply.client,
request->server))) {
status = "ADD_TO_TRANSITED_LIST";
goto cleanup;
}
newtransited = 1;
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
server, header_server);
if (errcode) {
status = "NON_TRANSITIVE";
goto cleanup;
}
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
errcode = kdc_check_transited_list (kdc_active_realm,
&enc_tkt_reply.transited.tr_contents,
krb5_princ_realm (kdc_context, header_enc_tkt->client),
krb5_princ_realm (kdc_context, request->server));
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else {
log_tgs_badtrans(kdc_context, cprinc, sprinc,
&enc_tkt_reply.transited.tr_contents, errcode);
}
} else
krb5_klog_syslog(LOG_INFO, _("not checking transit path"));
if (kdc_active_realm->realm_reject_bad_transit &&
!isflagset(enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
errcode = KRB5KDC_ERR_POLICY;
status = "BAD_TRANSIT";
au_state->violation = LOCAL_POLICY;
goto cleanup;
}
errcode = handle_authdata(kdc_context, c_flags, client, server,
header_server, local_tgt,
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
&encrypting_key, /* U2U or server key */
header_key,
pkt,
request,
s4u_x509_user ?
s4u_x509_user->user_id.user : NULL,
subject_tkt,
auth_indicators,
&enc_tkt_reply);
if (errcode) {
krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
errcode);
status = "HANDLE_AUTHDATA";
goto cleanup;
}
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
* If we are doing user-to-user authentication, then make sure
* that the client for the second ticket matches the request
* server, and then encrypt the ticket using the session key of
* the second ticket.
*/
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
/*
* Make sure the client for the second ticket matches
* requested server.
*/
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
krb5_principal client2 = t2enc->client;
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
altcprinc = client2;
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
status = "2ND_TKT_MISMATCH";
au_state->status = status;
kau_u2u(kdc_context, FALSE, au_state);
goto cleanup;
}
ticket_kvno = 0;
ticket_reply.enc_part.enctype = t2enc->session->enctype;
kau_u2u(kdc_context, TRUE, au_state);
st_idx++;
} else {
ticket_kvno = server_key->key_data_kvno;
}
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
&ticket_reply);
if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (errcode) {
status = "ENCRYPT_TICKET";
goto cleanup;
}
ticket_reply.enc_part.kvno = ticket_kvno;
/* Start assembling the response */
au_state->stage = ENCR_REP;
reply.msg_type = KRB5_TGS_REP;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
krb5int_find_pa_data(kdc_context, request->padata,
KRB5_PADATA_S4U_X509_USER) != NULL) {
errcode = kdc_make_s4u2self_rep(kdc_context,
subkey,
header_ticket->enc_part2->session,
s4u_x509_user,
&reply,
&reply_encpart);
if (errcode) {
status = "MAKE_S4U2SELF_PADATA";
au_state->status = status;
}
kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state);
if (errcode)
goto cleanup;
}
reply.client = enc_tkt_reply.client;
reply.enc_part.kvno = 0;/* We are using the session key */
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
reply_encpart.nonce = request->nonce;
/* copy the time fields */
reply_encpart.times = enc_tkt_reply.times;
nolrentry.lr_type = KRB5_LRQ_NONE;
nolrentry.value = 0;
nolrentry.magic = 0;
nolrarray[0] = &nolrentry;
nolrarray[1] = 0;
reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
reply_encpart.key_exp = 0;/* ditto */
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
/* use the session key in the ticket, unless there's a subsession key
in the AP_REQ */
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
errcode = kdc_fast_response_handle_padata(state, request, &reply,
subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype);
if (errcode !=0 ) {
status = "MAKE_FAST_RESPONSE";
goto cleanup;
}
errcode =kdc_fast_handle_reply_key(state,
subkey?subkey:header_ticket->enc_part2->session, &reply_key);
if (errcode) {
status = "MAKE_FAST_REPLY_KEY";
goto cleanup;
}
errcode = return_enc_padata(kdc_context, pkt, request,
reply_key, server, &reply_encpart,
is_referral &&
isflagset(s_flags,
KRB5_KDB_FLAG_CANONICALIZE));
if (errcode) {
status = "KDC_RETURN_ENC_PADATA";
goto cleanup;
}
errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id);
if (errcode) {
status = "GENERATE_TICKET_ID";
goto cleanup;
}
if (kdc_fast_hide_client(state))
reply.client = (krb5_principal)krb5_anonymous_principal();
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
subkey ? 1 : 0,
reply_key,
&reply, response);
if (errcode) {
status = "ENCODE_KDC_REP";
} else {
status = "ISSUE";
}
memset(ticket_reply.enc_part.ciphertext.data, 0,
ticket_reply.enc_part.ciphertext.length);
free(ticket_reply.enc_part.ciphertext.data);
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
memset(reply.enc_part.ciphertext.data, 0,
reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
cleanup:
assert(status != NULL);
if (reply_key)
krb5_free_keyblock(kdc_context, reply_key);
if (errcode)
emsg = krb5_get_error_message (kdc_context, errcode);
au_state->status = status;
if (!errcode)
au_state->reply = &reply;
kau_tgs_req(kdc_context, errcode ? FALSE : TRUE, au_state);
kau_free_kdc_req(au_state);
log_tgs_req(kdc_context, from, request, &reply, cprinc,
sprinc, altcprinc, authtime,
c_flags, status, errcode, emsg);
if (errcode) {
krb5_free_error_message (kdc_context, emsg);
emsg = NULL;
}
if (errcode) {
int got_err = 0;
if (status == 0) {
status = krb5_get_error_message (kdc_context, errcode);
got_err = 1;
}
errcode -= ERROR_TABLE_BASE_krb5;
if (errcode < 0 || errcode > KRB_ERR_MAX)
errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(state, request, header_ticket, errcode,
(server != NULL) ? server->princ : NULL,
response, status, e_data);
if (got_err) {
krb5_free_error_message (kdc_context, status);
status = 0;
}
}
if (header_ticket != NULL)
krb5_free_ticket(kdc_context, header_ticket);
if (request != NULL)
krb5_free_kdc_req(kdc_context, request);
if (state)
kdc_free_rstate(state);
krb5_db_free_principal(kdc_context, server);
krb5_db_free_principal(kdc_context, header_server);
krb5_db_free_principal(kdc_context, client);
krb5_db_free_principal(kdc_context, local_tgt_storage);
if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
if (s4u_x509_user != NULL)
krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
if (kdc_issued_auth_data != NULL)
krb5_free_authdata(kdc_context, kdc_issued_auth_data);
if (subkey != NULL)
krb5_free_keyblock(kdc_context, subkey);
if (header_key != NULL)
krb5_free_keyblock(kdc_context, header_key);
if (reply.padata)
krb5_free_pa_data(kdc_context, reply.padata);
if (reply_encpart.enc_padata)
krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
if (enc_tkt_reply.authorization_data != NULL)
krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
krb5_free_pa_data(kdc_context, e_data);
k5_free_data_ptr_list(auth_indicators);
return retval;
}
/*
* Message contained some contacts, but record with same address
* of record was not found so we have to create a new record
* and insert all contacts from the message that have expires
* > 0
*/
static inline int insert(struct sip_msg* _m, contact_t* _c, udomain_t* _d, str* _a, str *ua)
{
urecord_t* r = 0;
ucontact_t* c;
int e, cseq;
qvalue_t q;
str callid;
unsigned int flags;
str* recv;
int_str rcv_avp;
int_str val;
int num;
rcv_avp.n=rcv_avp_no;
if (isflagset(_m, nat_flag) == 1) flags = FL_NAT;
else flags = FL_NONE;
flags |= mem_only;
num = 0;
while(_c) {
if (calc_contact_expires(_m, _c->expires, &e) < 0) {
LOG(L_ERR, "insert(): Error while calculating expires\n");
return -1;
}
/* Skip contacts with zero expires */
if (e == 0) goto skip;
if (max_contacts && (num >= max_contacts)) {
rerrno = R_TOO_MANY;
ul.delete_urecord(_d, _a);
return -1;
}
num++;
if (r == 0) {
if (ul.insert_urecord(_d, _a, &r) < 0) {
rerrno = R_UL_NEW_R;
LOG(L_ERR, "insert(): Can't insert new record structure\n");
return -2;
}
}
/* Calculate q value of the contact */
if (calc_contact_q(_c->q, &q) < 0) {
LOG(L_ERR, "insert(): Error while calculating q\n");
ul.delete_urecord(_d, _a);
return -3;
}
/* Get callid of the message */
callid = _m->callid->body;
trim_trailing(&callid);
/* Get CSeq number of the message */
if (str2int(&get_cseq(_m)->number, (unsigned int*)&cseq) < 0) {
rerrno = R_INV_CSEQ;
LOG(L_ERR, "insert(): Error while converting cseq number\n");
ul.delete_urecord(_d, _a);
return -4;
}
if (_c->received) {
recv = &_c->received->body;
} else if (search_first_avp(0, rcv_avp, &val)) {
recv = val.s;
} else {
recv = 0;
}
if (ul.insert_ucontact(r, &_c->uri, e, q, &callid, cseq, flags, &c, ua, recv) < 0) {
rerrno = R_UL_INS_C;
LOG(L_ERR, "insert(): Error while inserting contact\n");
ul.delete_urecord(_d, _a);
return -5;
}
skip:
_c = get_next_contact(_c);
}
if (r) {
if (!r->contacts) {
ul.delete_urecord(_d, _a);
} else {
build_contact(r->contacts);
}
}
return 0;
}
static CallInfo*
get_call_info(struct sip_msg *msg, CallControlAction action)
{
static CallInfo call_info;
int headers;
memset(&call_info, 0, sizeof(struct CallInfo));
switch (action) {
case CAInitialize:
headers = HDR_CALLID_F|HDR_FROM_F;
break;
case CAStart:
case CAStop:
headers = HDR_CALLID_F;
break;
default:
// Invalid action. Should never get here.
assert(False);
return NULL;
}
if (parse_headers(msg, headers, 0) == -1) {
LM_ERR("cannot parse required headers\n");
return NULL;
}
if (headers & HDR_CALLID_F) {
if (msg->callid == NULL) {
LM_ERR("missing Call-ID header\n");
return NULL;
}
call_info.callid = msg->callid->body;
trim(&call_info.callid);
}
if (headers & HDR_FROM_F) {
struct to_body *from; // yeah. suggestive structure name ;)
if (msg->from == NULL) {
LM_ERR("missing From header\n");
return NULL;
}
if (!msg->from->parsed && parse_from_header(msg)==-1) {
LM_ERR("cannot parse From header\n");
return NULL;
}
from = get_from(msg);
if (from->body.s==NULL || from->body.len==0) {
LM_ERR("missing From\n");
return NULL;
}
if (from->tag_value.s==NULL || from->tag_value.len==0) {
LM_ERR("missing From tag\n");
return NULL;
}
call_info.from = from->body;
call_info.from_tag = from->tag_value;
}
if (action == CAInitialize) {
call_info.ruri = get_canonical_request_uri(msg);
call_info.diverter = get_diverter(msg);
call_info.source_ip = get_signaling_ip(msg);
call_info.call_limit = get_call_limit(msg);
call_info.call_token = get_call_token(msg);
if (prepaid_account_flag >= 0) {
call_info.prepaid_account = isflagset(msg, prepaid_account_flag)==1 ? "true" : "false";
} else {
call_info.prepaid_account = "unknown";
}
}
call_info.action = action;
return &call_info;
}
void dotrustspew(long unum, char *tail) {
int res; char tmps2[TMPSSIZE], tmps3[TMPSSIZE], tmps4[TMPSSIZE], tmps5[TMPSSIZE];
trustedgroup *tg; trustedhost *th; int i; userdata *ud; long k, l;
array listofths; int iamtired;
res=sscanf(tail, "%s %s %s",tmps2,tmps3,tmps4);
if (res<2) {
msgtouser(unum,"Syntax: trustspew <groupname OR #groupID> [user]");
return;
}
if (res==2) { strcpy(tmps4,"*"); }
tmps4[USERLEN+2]='\0';
toLowerCase(tmps3); toLowerCase(tmps4);
if (tmps3[0]=='#') {
tg=findtrustgroupbyID(strtol(&tmps3[1],NULL,10));
} else {
tg=findtrustgroupbyname(tmps3);
}
if (tg==NULL) {
sprintf(tmps2,"A trustgroup with that %s does not exist.",(tmps3[0]=='#') ? "ID" : "name");
msgtouser(unum,tmps2); return;
}
/* First, create a list of all hosts in that trustgroup... */
array_init(&listofths,sizeof(unsigned long));
for (i=0;i<SIZEOFTL;i++) {
th=trustedhosts[i];
while (th!=NULL) {
if (th->id==tg->id) { /* mmkay, that one belongs to our group */
long j;
j=array_getfreeslot(&listofths);
((unsigned long *)listofths.content)[j]=th->IPv4;
}
th=(void *)th->next;
}
}
if (listofths.cursi==0) {
msgtouser(unum,"There are no hosts in that trustgroup.");
array_free(&listofths);
return;
}
/* We have the list - scan through the whole userlist, and match against our
hostlist, and if that matches, match again against the username */
sprintf(tmps2,"Users in Trustgroup %s (#%lu) matching %s",tg->name,tg->id,tmps4);
msgtouser(unum,tmps2);
l=0;
for (i=0;i<SIZEOFUL;i++) {
ud=uls[i];
while (ud!=NULL) {
for (k=0;k<listofths.cursi;k++) {
if (((unsigned long *)listofths.content)[k]==ud->realip) {
/* Host matches, check username */
strcpy(tmps5,ud->ident);
toLowerCase(tmps5);
if (match2strings(tmps4,tmps5)) {
/* yay ident matches too - list that loser */
channel **d; int chanmodes; char * mycip;
l++; /* inc counter of number of users found */
mycip=printipv4(ud->realip);
sprintf(tmps2,"%s!%s@%s(=%s) (%s)",ud->nick,ud->ident,ud->host,mycip,ud->realname);
msgtouser(unum,tmps2);
if (ud->chans.cursi>0) {
if (ud->chans.cursi==1) {
strcpy(tmps2,"On channel:");
} else {
strcpy(tmps2,"On channels:");
}
for (iamtired=0;iamtired<(ud->chans.cursi);iamtired++) {
d=(channel **)(ud->chans.content);
if ((strlen(d[iamtired]->name)+strlen(tmps2))>400) {
strcat(tmps2," [...]"); break;
} else {
chanmodes=getchanmode2(d[iamtired],ud->numeric);
strcat(tmps2," ");
if (chanmodes<0) {
strcat(tmps2,"?");
} else {
if (isflagset(chanmodes,um_o)) { strcat(tmps2,"@"); } else { strcat(tmps2," "); }
}
strcat(tmps2,d[iamtired]->name);
}
}
} else {
strcpy(tmps2,"Not on any (nonlocal-)channels");
}
msgtouser(unum,tmps2);
}
}
}
ud=(void *)ud->next;
}
}
sprintf(tmps2,"--- End of list - %ld matches ---",l);
msgtouser(unum,tmps2);
array_free(&listofths);
}
/* Handle backend-managed authorization data */
static krb5_error_code
handle_kdb_authdata (krb5_context context,
unsigned int flags,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply)
{
krb5_error_code code;
krb5_authdata **tgt_authdata, **db_authdata = NULL;
krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ);
krb5_const_principal actual_client;
/*
* Check whether KDC issued authorization data should be included.
* A server can explicitly disable the inclusion of authorization
* data by setting the KRB5_KDB_NO_AUTH_DATA_REQUIRED flag on its
* principal entry. Otherwise authorization data will be included
* if it was present in the TGT, the client is from another realm
* or protocol transition/constrained delegation was used, or, in
* the AS-REQ case, if the pre-auth data indicated the PAC should
* be present.
*/
if (tgs_req) {
assert(enc_tkt_request != NULL);
if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED))
return 0;
if (enc_tkt_request->authorization_data == NULL &&
!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM | KRB5_KDB_FLAGS_S4U))
return 0;
assert(enc_tkt_reply->times.authtime == enc_tkt_request->times.authtime);
} else {
if (!isflagset(flags, KRB5_KDB_FLAG_INCLUDE_PAC))
return 0;
}
/*
* We have this special case for protocol transition, because for
* cross-realm protocol transition the ticket reply client will
* not be changed until the final hop.
*/
if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))
actual_client = for_user_princ;
else
actual_client = enc_tkt_reply->client;
tgt_authdata = tgs_req ? enc_tkt_request->authorization_data : NULL;
code = krb5_db_sign_authdata(context, flags, actual_client, client,
server, krbtgt, client_key, server_key,
krbtgt_key, enc_tkt_reply->session,
enc_tkt_reply->times.authtime, tgt_authdata,
&db_authdata);
if (code == 0) {
code = merge_authdata(context,
db_authdata,
&enc_tkt_reply->authorization_data,
FALSE, /* !copy */
FALSE); /* !ignore_kdc_issued */
if (code != 0)
krb5_free_authdata(context, db_authdata);
} else if (code == KRB5_PLUGIN_OP_NOTSUPP)
code = 0;
return code;
}
static krb5_error_code
handle_signedpath_authdata (krb5_context context,
unsigned int flags,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
krb5_keyblock *krbtgt_key,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply)
{
krb5_error_code code = 0;
krb5_principal *deleg_path = NULL;
krb5_boolean signed_path = FALSE;
krb5_boolean s4u2proxy;
s4u2proxy = isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
/*
* The Windows PAC fulfils the same role as the signed path
* if it is the only authorization data element.
*/
if (request->msg_type == KRB5_TGS_REQ &&
!only_pac_p(context, enc_tkt_request->authorization_data)) {
code = verify_ad_signedpath(context,
krbtgt,
krbtgt_key,
enc_tkt_request,
&deleg_path,
&signed_path);
if (code != 0)
goto cleanup;
if (s4u2proxy && signed_path == FALSE) {
code = KRB5KDC_ERR_BADOPTION;
goto cleanup;
}
}
/* No point in including signedpath authdata for a cross-realm TGT, since
* it will be presented to a different KDC. */
if (!isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) &&
!is_cross_tgs_principal(server->princ) &&
!only_pac_p(context, enc_tkt_reply->authorization_data)) {
code = make_ad_signedpath(context,
for_user_princ,
s4u2proxy ? client->princ : NULL,
krbtgt,
krbtgt_key,
deleg_path,
enc_tkt_reply);
if (code != 0)
goto cleanup;
}
cleanup:
free_deleg_path(context, deleg_path);
return code;
}
/* ret= 0! if action -> end of list(e.g DROP),
> 0 to continue processing next actions
and <0 on error */
int do_action(struct action* a, struct sip_msg* msg)
{
int ret;
int v;
union sockaddr_union* to;
struct socket_info* send_sock;
struct proxy_l* p;
char* tmp;
char *new_uri, *end, *crt;
int len;
int user;
struct sip_uri uri, next_hop;
struct sip_uri* u;
unsigned short port;
int proto;
/* reset the value of error to E_UNSPEC so avoid unknowledgable
functions to return with errror (status<0) and not setting it
leaving there previous error; cache the previous value though
for functions which want to process it */
prev_ser_error=ser_error;
ser_error=E_UNSPEC;
ret=E_BUG;
switch ((unsigned char)a->type){
case DROP_T:
ret=0;
break;
case FORWARD_T:
#ifdef USE_TCP
case FORWARD_TCP_T:
#endif
#ifdef USE_TLS
case FORWARD_TLS_T:
#endif
case FORWARD_UDP_T:
if (a->type==FORWARD_UDP_T) proto=PROTO_UDP;
#ifdef USE_TCP
else if (a->type==FORWARD_TCP_T) proto= PROTO_TCP;
#endif
#ifdef USE_TLS
else if (a->type==FORWARD_TLS_T) proto= PROTO_TLS;
#endif
else proto=msg->rcv.proto;
if (a->p1_type==URIHOST_ST){
/*parse uri*/
if (msg->dst_uri.len) {
ret = parse_uri(msg->dst_uri.s, msg->dst_uri.len, &next_hop);
u = &next_hop;
} else {
ret = parse_sip_msg_uri(msg);
u = &msg->parsed_uri;
}
if (ret<0) {
LOG(L_ERR, "ERROR: do_action: forward: bad_uri "
" dropping packet\n");
break;
}
switch (a->p2_type){
case URIPORT_ST:
port=u->port_no;
break;
case NUMBER_ST:
port=a->p2.number;
break;
default:
LOG(L_CRIT, "BUG: do_action bad forward 2nd"
" param type (%d)\n", a->p2_type);
ret=E_UNSPEC;
goto error_fwd_uri;
}
switch(u->proto){
case PROTO_NONE:
proto=PROTO_UDP;
break;
case PROTO_UDP:
#ifdef USE_TCP
case PROTO_TCP:
#endif
#ifdef USE_TLS
case PROTO_TLS:
#endif
proto=u->proto;
break;
default:
LOG(L_ERR,"ERROR: do action: forward: bad uri"
" transport %d\n", u->proto);
ret=E_BAD_PROTO;
goto error_fwd_uri;
}
#ifdef USE_TLS
if (u->secure){
if (u->proto==PROTO_UDP){
LOG(L_ERR, "ERROR: do_action: forward: secure uri"
" incompatible with transport %d\n", u->proto);
ret=E_BAD_PROTO;
goto error_fwd_uri;
}
proto=PROTO_TLS;
}
#endif
/* create a temporary proxy*/
p=mk_proxy(&u->host, port, proto);
if (p==0){
LOG(L_ERR, "ERROR: bad host name in uri,"
" dropping packet\n");
ret=E_BAD_ADDRESS;
goto error_fwd_uri;
}
ret=forward_request(msg, p, proto);
/*free_uri(&uri); -- no longer needed, in sip_msg*/
free_proxy(p); /* frees only p content, not p itself */
pkg_free(p);
if (ret>=0) ret=1;
}else if ((a->p1_type==PROXY_ST) && (a->p2_type==NUMBER_ST)){
ret=forward_request(msg,(struct proxy_l*)a->p1.data, proto);
if (ret>=0) ret=1;
}else{
LOG(L_CRIT, "BUG: do_action: bad forward() types %d, %d\n",
a->p1_type, a->p2_type);
ret=E_BUG;
}
break;
case SEND_T:
case SEND_TCP_T:
if ((a->p1_type!= PROXY_ST)|(a->p2_type!=NUMBER_ST)){
LOG(L_CRIT, "BUG: do_action: bad send() types %d, %d\n",
a->p1_type, a->p2_type);
ret=E_BUG;
break;
}
to=(union sockaddr_union*)
pkg_malloc(sizeof(union sockaddr_union));
if (to==0){
LOG(L_ERR, "ERROR: do_action: "
"memory allocation failure\n");
ret=E_OUT_OF_MEM;
break;
}
p=(struct proxy_l*)a->p1.data;
if (p->ok==0){
if (p->host.h_addr_list[p->addr_idx+1])
p->addr_idx++;
else
p->addr_idx=0;
p->ok=1;
}
ret=hostent2su( to, &p->host, p->addr_idx,
(p->port)?p->port:SIP_PORT );
if (ret==0){
p->tx++;
p->tx_bytes+=msg->len;
if (a->type==SEND_T){
/*udp*/
send_sock=get_send_socket(to, PROTO_UDP);
if (send_sock!=0){
ret=udp_send(send_sock, msg->buf, msg->len, to);
}else{
ret=-1;
}
}
#ifdef USE_TCP
else{
/*tcp*/
ret=tcp_send(PROTO_TCP, msg->buf, msg->len, to, 0);
}
#endif
}
pkg_free(to);
if (ret<0){
p->errors++;
p->ok=0;
}else ret=1;
break;
case LOG_T:
if ((a->p1_type!=NUMBER_ST)|(a->p2_type!=STRING_ST)){
LOG(L_CRIT, "BUG: do_action: bad log() types %d, %d\n",
a->p1_type, a->p2_type);
ret=E_BUG;
break;
}
LOG(a->p1.number, a->p2.string);
ret=1;
break;
/* jku -- introduce a new branch */
case APPEND_BRANCH_T:
if ((a->p1_type!=STRING_ST)) {
LOG(L_CRIT, "BUG: do_action: bad append_branch_t %d\n",
a->p1_type );
ret=E_BUG;
break;
}
ret=append_branch( msg, a->p1.string,
a->p1.string ? strlen(a->p1.string):0 );
break;
/* jku begin: is_length_greater_than */
case LEN_GT_T:
if (a->p1_type!=NUMBER_ST) {
LOG(L_CRIT, "BUG: do_action: bad len_gt type %d\n",
a->p1_type );
ret=E_BUG;
break;
}
/* DBG("XXX: message length %d, max %d\n",
msg->len, a->p1.number ); */
ret = msg->len >= a->p1.number ? 1 : -1;
break;
/* jku end: is_length_greater_than */
/* jku - begin : flag processing */
case SETFLAG_T:
if (a->p1_type!=NUMBER_ST) {
LOG(L_CRIT, "BUG: do_action: bad setflag() type %d\n",
a->p1_type );
ret=E_BUG;
break;
}
if (!flag_in_range( a->p1.number )) {
ret=E_CFG;
break;
}
setflag( msg, a->p1.number );
ret=1;
break;
case RESETFLAG_T:
if (a->p1_type!=NUMBER_ST) {
LOG(L_CRIT, "BUG: do_action: bad resetflag() type %d\n",
a->p1_type );
ret=E_BUG;
break;
}
if (!flag_in_range( a->p1.number )) {
ret=E_CFG;
break;
}
resetflag( msg, a->p1.number );
ret=1;
break;
case ISFLAGSET_T:
if (a->p1_type!=NUMBER_ST) {
LOG(L_CRIT, "BUG: do_action: bad isflagset() type %d\n",
a->p1_type );
ret=E_BUG;
break;
}
if (!flag_in_range( a->p1.number )) {
ret=E_CFG;
break;
}
ret=isflagset( msg, a->p1.number );
break;
/* jku - end : flag processing */
case ERROR_T:
if ((a->p1_type!=STRING_ST)|(a->p2_type!=STRING_ST)){
LOG(L_CRIT, "BUG: do_action: bad error() types %d, %d\n",
a->p1_type, a->p2_type);
ret=E_BUG;
break;
}
LOG(L_NOTICE, "WARNING: do_action: error(\"%s\", \"%s\") "
"not implemented yet\n", a->p1.string, a->p2.string);
ret=1;
break;
case ROUTE_T:
if (a->p1_type!=NUMBER_ST){
LOG(L_CRIT, "BUG: do_action: bad route() type %d\n",
a->p1_type);
ret=E_BUG;
break;
}
if ((a->p1.number>RT_NO)||(a->p1.number<0)){
LOG(L_ERR, "ERROR: invalid routing table number in"
"route(%lu)\n", a->p1.number);
ret=E_CFG;
break;
}
ret=((ret=run_actions(rlist[a->p1.number], msg))<0)?ret:1;
break;
case EXEC_T:
if (a->p1_type!=STRING_ST){
LOG(L_CRIT, "BUG: do_action: bad exec() type %d\n",
a->p1_type);
ret=E_BUG;
break;
}
LOG(L_NOTICE, "WARNING: exec(\"%s\") not fully implemented,"
" using dumb version...\n", a->p1.string);
ret=system(a->p1.string);
if (ret!=0){
LOG(L_NOTICE, "WARNING: exec() returned %d\n", ret);
}
ret=1;
break;
case REVERT_URI_T:
if (msg->new_uri.s) {
pkg_free(msg->new_uri.s);
msg->new_uri.len=0;
msg->new_uri.s=0;
msg->parsed_uri_ok=0; /* invalidate current parsed uri*/
};
ret=1;
break;
case SET_HOST_T:
case SET_HOSTPORT_T:
case SET_USER_T:
case SET_USERPASS_T:
case SET_PORT_T:
case SET_URI_T:
case PREFIX_T:
case STRIP_T:
case STRIP_TAIL_T:
user=0;
if (a->type==STRIP_T || a->type==STRIP_TAIL_T) {
if (a->p1_type!=NUMBER_ST) {
LOG(L_CRIT, "BUG: do_action: bad set*() type %d\n",
a->p1_type);
break;
}
} else if (a->p1_type!=STRING_ST){
LOG(L_CRIT, "BUG: do_action: bad set*() type %d\n",
a->p1_type);
ret=E_BUG;
break;
}
if (a->type==SET_URI_T){
if (msg->new_uri.s) {
pkg_free(msg->new_uri.s);
msg->new_uri.len=0;
}
msg->parsed_uri_ok=0;
len=strlen(a->p1.string);
msg->new_uri.s=pkg_malloc(len+1);
if (msg->new_uri.s==0){
LOG(L_ERR, "ERROR: do_action: memory allocation"
" failure\n");
ret=E_OUT_OF_MEM;
break;
}
memcpy(msg->new_uri.s, a->p1.string, len);
msg->new_uri.s[len]=0;
msg->new_uri.len=len;
ret=1;
break;
}
if (msg->new_uri.s) {
tmp=msg->new_uri.s;
len=msg->new_uri.len;
}else{
tmp=msg->first_line.u.request.uri.s;
len=msg->first_line.u.request.uri.len;
}
if (parse_uri(tmp, len, &uri)<0){
LOG(L_ERR, "ERROR: do_action: bad uri <%s>, dropping"
" packet\n", tmp);
ret=E_UNSPEC;
break;
}
new_uri=pkg_malloc(MAX_URI_SIZE);
if (new_uri==0){
LOG(L_ERR, "ERROR: do_action: memory allocation "
" failure\n");
ret=E_OUT_OF_MEM;
break;
}
end=new_uri+MAX_URI_SIZE;
crt=new_uri;
/* begin copying */
len=strlen("sip:"); if(crt+len>end) goto error_uri;
memcpy(crt,"sip:",len);crt+=len;
/* user */
/* prefix (-jiri) */
if (a->type==PREFIX_T) {
tmp=a->p1.string;
len=strlen(tmp); if(crt+len>end) goto error_uri;
memcpy(crt,tmp,len);crt+=len;
/* whatever we had before, with prefix we have username
now */
user=1;
}
if ((a->type==SET_USER_T)||(a->type==SET_USERPASS_T)) {
tmp=a->p1.string;
len=strlen(tmp);
} else if (a->type==STRIP_T) {
if (a->p1.number>uri.user.len) {
LOG(L_WARN, "Error: too long strip asked; "
" deleting username: %lu of <%.*s>\n",
a->p1.number, uri.user.len, uri.user.s );
len=0;
} else if (a->p1.number==uri.user.len) {
len=0;
} else {
tmp=uri.user.s + a->p1.number;
len=uri.user.len - a->p1.number;
}
} else if (a->type==STRIP_TAIL_T) {
if (a->p1.number>uri.user.len) {
LOG(L_WARN, "WARNING: too long strip_tail asked; "
" deleting username: %lu of <%.*s>\n",
a->p1.number, uri.user.len, uri.user.s );
len=0;
} else if (a->p1.number==uri.user.len) {
len=0;
} else {
tmp=uri.user.s;
len=uri.user.len - a->p1.number;
}
} else {
tmp=uri.user.s;
len=uri.user.len;
}
if (len){
if(crt+len>end) goto error_uri;
memcpy(crt,tmp,len);crt+=len;
user=1; /* we have an user field so mark it */
}
if (a->type==SET_USERPASS_T) tmp=0;
else tmp=uri.passwd.s;
/* passwd */
if (tmp){
len=uri.passwd.len; if(crt+len+1>end) goto error_uri;
*crt=':'; crt++;
memcpy(crt,tmp,len);crt+=len;
}
/* host */
if (user || tmp){ /* add @ */
if(crt+1>end) goto error_uri;
*crt='@'; crt++;
}
if ((a->type==SET_HOST_T) ||(a->type==SET_HOSTPORT_T)) {
tmp=a->p1.string;
if (tmp) len = strlen(tmp);
else len=0;
} else {
tmp=uri.host.s;
len = uri.host.len;
}
if (tmp){
if(crt+len>end) goto error_uri;
memcpy(crt,tmp,len);crt+=len;
}
/* port */
if (a->type==SET_HOSTPORT_T) tmp=0;
else if (a->type==SET_PORT_T) {
tmp=a->p1.string;
if (tmp) len = strlen(tmp);
else len = 0;
} else {
tmp=uri.port.s;
len = uri.port.len;
}
if (tmp){
if(crt+len+1>end) goto error_uri;
*crt=':'; crt++;
memcpy(crt,tmp,len);crt+=len;
}
/* params */
tmp=uri.params.s;
if (tmp){
len=uri.params.len; if(crt+len+1>end) goto error_uri;
*crt=';'; crt++;
memcpy(crt,tmp,len);crt+=len;
}
/* headers */
tmp=uri.headers.s;
if (tmp){
len=uri.headers.len; if(crt+len+1>end) goto error_uri;
*crt='?'; crt++;
memcpy(crt,tmp,len);crt+=len;
}
*crt=0; /* null terminate the thing */
/* copy it to the msg */
if (msg->new_uri.s) pkg_free(msg->new_uri.s);
msg->new_uri.s=new_uri;
msg->new_uri.len=crt-new_uri;
msg->parsed_uri_ok=0;
ret=1;
break;
case IF_T:
/* if null expr => ignore if? */
if ((a->p1_type==EXPR_ST)&&a->p1.data){
v=eval_expr((struct expr*)a->p1.data, msg);
if (v<0){
if (v==EXPR_DROP){ /* hack to quit on DROP*/
ret=0;
break;
}else{
LOG(L_WARN,"WARNING: do_action:"
"error in expression\n");
}
}
ret=1; /*default is continue */
if (v>0) {
if ((a->p2_type==ACTIONS_ST)&&a->p2.data){
ret=run_actions((struct action*)a->p2.data, msg);
}
}else if ((a->p3_type==ACTIONS_ST)&&a->p3.data){
ret=run_actions((struct action*)a->p3.data, msg);
}
}
break;
case MODULE_T:
if ( ((a->p1_type==CMDF_ST)&&a->p1.data)/*&&
((a->p2_type==STRING_ST)&&a->p2.data)*/ ){
ret=((cmd_function)(a->p1.data))(msg, (char*)a->p2.data,
(char*)a->p3.data);
}else{
LOG(L_CRIT,"BUG: do_action: bad module call\n");
}
break;
case FORCE_RPORT_T:
msg->msg_flags|=FL_FORCE_RPORT;
ret=1; /* continue processing */
break;
case SET_ADV_ADDR_T:
if (a->p1_type!=STR_ST){
LOG(L_CRIT, "BUG: do_action: bad set_advertised_address() "
"type %d\n", a->p1_type);
ret=E_BUG;
break;
}
msg->set_global_address=*((str*)a->p1.data);
ret=1; /* continue processing */
break;
case SET_ADV_PORT_T:
if (a->p1_type!=STR_ST){
LOG(L_CRIT, "BUG: do_action: bad set_advertised_port() "
"type %d\n", a->p1_type);
ret=E_BUG;
break;
}
msg->set_global_port=*((str*)a->p1.data);
ret=1; /* continue processing */
break;
default:
LOG(L_CRIT, "BUG: do_action: unknown type %d\n", a->type);
}
/*skip:*/
return ret;
error_uri:
LOG(L_ERR, "ERROR: do_action: set*: uri too long\n");
if (new_uri) pkg_free(new_uri);
return E_UNSPEC;
error_fwd_uri:
/*free_uri(&uri); -- not needed anymore, using msg->parsed_uri*/
return ret;
}
/*
* Previously this code returned either a v4 key or a v5 key and you
* could tell from the enctype of the v5 key whether the v4 key was
* useful. Now we return both keys so the code can try both des3 and
* des decryption. We fail if the ticket doesn't have a v4 key.
* Also, note as a side effect, the v5 key is basically useless in
* the client case. It is still returned so the caller can free it.
*/
static int
kerb_get_principal(char *name, char *inst, /* could have wild cards */
Principal *principal,
int *more, /* more tuples than room for */
krb5_keyblock *k5key, krb5_kvno kvno,
int issrv, /* true if retrieving a service key */
krb5_deltat *k5life)
{
/* Note that this structure should not be passed to the
krb5_free* functions, because the pointers within it point
to data with other references. */
krb5_principal search;
krb5_db_entry entries; /* filled in by krb5_db_get_principal() */
int nprinc; /* how many found */
krb5_boolean more5; /* are there more? */
C_Block k;
short toggle = 0;
unsigned long *date;
char* text;
struct tm *tp;
krb5_key_data *pkey;
krb5_error_code retval;
*more = 0;
/* begin setting up the principal structure
* with the first info we have:
*/
memcpy( principal->name, name, 1 + strlen( name));
memcpy( principal->instance, inst, 1 + strlen( inst));
/* the principal-name format changed between v4 & v5:
* v4: name.instance@realm
* v5: realm/name/instance
* in v5, null instance means the null-component doesn't exist.
*/
if ((retval = krb5_425_conv_principal(kdc_context, name, inst,
local_realm, &search)))
return(0);
if ((retval = krb5_db_get_principal(kdc_context, search, &entries,
&nprinc, &more5))) {
krb5_free_principal(kdc_context, search);
return(0);
}
principal->key_low = principal->key_high = 0;
krb5_free_principal(kdc_context, search);
if (nprinc < 1) {
*more = (int)more5 || (nprinc > 1);
return(nprinc);
}
if (!issrv) {
if (krb5_dbe_find_enctype(kdc_context,
&entries,
ENCTYPE_DES_CBC_CRC,
KRB5_KDB_SALTTYPE_V4,
kvno,
&pkey) &&
krb5_dbe_find_enctype(kdc_context,
&entries,
ENCTYPE_DES_CBC_CRC,
-1,
kvno,
&pkey)) {
lt = klog(L_KRB_PERR,
"KDC V4: principal %s.%s isn't V4 compatible",
name, inst);
krb5_db_free_principal(kdc_context, &entries, nprinc);
return(0);
}
} else {
if ( krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
KRB5_KDB_SALTTYPE_V4, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
-1, kvno, &pkey)) {
lt = klog(L_KRB_PERR,
"KDC V4: failed to find key for %s.%s #%d",
name, inst, kvno);
krb5_db_free_principal(kdc_context, &entries, nprinc);
return(0);
}
}
if (!compat_decrypt_key(pkey, k, k5key, issrv)) {
memcpy( &principal->key_low, k, LONGLEN);
memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN);
}
memset(k, 0, sizeof k);
if (issrv) {
krb5_free_keyblock_contents (kdc_context, k5key);
if (krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES3_CBC_RAW,
-1, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES3_CBC_SHA1,
-1, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
KRB5_KDB_SALTTYPE_V4, kvno, &pkey) &&
krb5_dbe_find_enctype(kdc_context, &entries,
ENCTYPE_DES_CBC_CRC,
-1, kvno, &pkey)) {
lt = klog(L_KRB_PERR,
"KDC V4: failed to find key for %s.%s #%d (after having found it once)",
name, inst, kvno);
krb5_db_free_principal(kdc_context, &entries, nprinc);
return(0);
}
compat_decrypt_key(pkey, k, k5key, issrv);
memset (k, 0, sizeof k);
}
/*
* Convert v5's entries struct to v4's Principal struct:
* v5's time-unit for lifetimes is 1 sec, while v4 uses 5 minutes,
* and gets weirder above (128 * 300) seconds.
*/
principal->max_life = krb_time_to_life(0, entries.max_life);
if (k5life != NULL)
*k5life = entries.max_life;
/*
* This is weird, but the intent is that the expiration is the minimum
* of the principal expiration and key expiration
*/
principal->exp_date = (unsigned long)
entries.expiration && entries.pw_expiration ?
min(entries.expiration, entries.pw_expiration) :
(entries.pw_expiration ? entries.pw_expiration :
entries.expiration);
/* principal->mod_date = (unsigned long) entries.mod_date; */
/* Set the master key version to 1. It's not really useful because all keys
* will be encrypted in the same master key version, and digging out the
* actual key version will be harder than it's worth --proven */
/* principal->kdc_key_ver = entries.mkvno; */
principal->kdc_key_ver = 1;
principal->key_version = pkey->key_data_kvno;
/* We overload the attributes with the relevant v5 ones */
principal->attributes = 0;
if (isflagset(entries.attributes, KRB5_KDB_REQUIRES_HW_AUTH) ||
isflagset(entries.attributes, KRB5_KDB_REQUIRES_PRE_AUTH)) {
principal->attributes |= V4_KDB_REQUIRES_PREAUTH;
}
if (isflagset(entries.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) {
principal->attributes |= V4_KDB_DISALLOW_ALL_TIX;
}
if (issrv && isflagset(entries.attributes, KRB5_KDB_DISALLOW_SVR)) {
principal->attributes |= V4_KDB_DISALLOW_SVR;
}
if (isflagset(entries.attributes, KRB5_KDB_REQUIRES_PWCHANGE)) {
principal->attributes |= V4_KDB_REQUIRES_PWCHANGE;
}
/* set up v4 format of each date's text: */
for ( date = &principal->exp_date, text = principal->exp_date_txt;
toggle ^= 1;
date = &principal->mod_date, text = principal->mod_date_txt) {
tp = localtime( (time_t *) date);
sprintf( text, "%4d-%02d-%02d",
tp->tm_year > 1900 ? tp->tm_year : tp->tm_year + 1900,
tp->tm_mon + 1, tp->tm_mday); /* January is 0, not 1 */
}
/*
* free the storage held by the v5 entry struct,
* which was allocated by krb5_db_get_principal().
* this routine clears the keyblock's contents for us.
*/
krb5_db_free_principal(kdc_context, &entries, nprinc);
*more = (int) more5 || (nprinc > 1);
return( nprinc);
}
/*
* This function creates and submits radius authentication request as per
* draft-sterman-aaa-sip-00.txt. In addition, _user parameter is included
* in the request as value of a SER specific attribute type SIP-URI-User,
* which can be be used as a check item in the request. Service type of
* the request is Authenticate-Only.
*/
int radius_authorize_sterman(struct sip_msg* _msg, dig_cred_t* _cred, str* _method, str* _user)
{
static char msg[4096];
VALUE_PAIR *send, *received;
uint32_t service;
str method, user, user_name;
str *ruri;
int extra_cnt, offset, i;
send = received = 0;
if (!(_cred && _method && _user)) {
LM_ERR("invalid parameter value\n");
return -1;
}
method = *_method;
user = *_user;
/*
* Add all the user digest parameters according to the qop defined.
* Most devices tested only offer support for the simplest digest.
*/
if (_cred->username.domain.len || !append_realm_to_username) {
if (!rc_avpair_add(rh, &send, attrs[A_USER_NAME].v, _cred->username.whole.s, _cred->username.whole.len, 0)) {
LM_ERR("unable to add User-Name attribute\n");
goto err;
}
} else {
user_name.len = _cred->username.user.len + _cred->realm.len + 1;
user_name.s = pkg_malloc(user_name.len);
if (!user_name.s) {
LM_ERR("no pkg memory left\n");
return -3;
}
memcpy(user_name.s, _cred->username.whole.s, _cred->username.whole.len);
user_name.s[_cred->username.whole.len] = '@';
memcpy(user_name.s + _cred->username.whole.len + 1, _cred->realm.s,
_cred->realm.len);
if (!rc_avpair_add(rh, &send, attrs[A_USER_NAME].v, user_name.s,
user_name.len, 0)) {
LM_ERR("unable to add User-Name attribute\n");
pkg_free(user_name.s);
goto err;
}
pkg_free(user_name.s);
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_USER_NAME].v,
_cred->username.whole.s, _cred->username.whole.len, 0)) {
LM_ERR("unable to add Digest-User-Name attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_REALM].v, _cred->realm.s,
_cred->realm.len, 0)) {
LM_ERR("unable to add Digest-Realm attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_NONCE].v, _cred->nonce.s,
_cred->nonce.len, 0)) {
LM_ERR("unable to add Digest-Nonce attribute\n");
goto err;
}
if (use_ruri_flag < 0 || isflagset(_msg, use_ruri_flag) != 1) {
ruri = &_cred->uri;
} else {
ruri = GET_RURI(_msg);
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_URI].v, ruri->s,
ruri->len, 0)) {
LM_ERR("unable to add Digest-URI attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_METHOD].v, method.s,
method.len, 0)) {
LM_ERR("unable to add Digest-Method attribute\n");
goto err;
}
/*
* Add the additional authentication fields according to the QOP.
*/
if (_cred->qop.qop_parsed == QOP_AUTH) {
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_QOP].v, "auth", 4, 0)) {
LM_ERR("unable to add Digest-QOP attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_NONCE_COUNT].v,
_cred->nc.s, _cred->nc.len, 0)) {
LM_ERR("unable to add Digest-CNonce-Count attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_CNONCE].v,
_cred->cnonce.s, _cred->cnonce.len, 0)) {
LM_ERR("unable to add Digest-CNonce attribute\n");
goto err;
}
} else if (_cred->qop.qop_parsed == QOP_AUTHINT) {
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_QOP].v,
"auth-int", 8, 0)) {
LM_ERR("unable to add Digest-QOP attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_NONCE_COUNT].v,
_cred->nc.s, _cred->nc.len, 0)) {
LM_ERR("unable to add Digest-Nonce-Count attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_CNONCE].v,
_cred->cnonce.s, _cred->cnonce.len, 0)) {
LM_ERR("unable to add Digest-CNonce attribute\n");
goto err;
}
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_BODY_DIGEST].v,
_cred->opaque.s, _cred->opaque.len, 0)) {
LM_ERR("unable to add Digest-Body-Digest attribute\n");
goto err;
}
} else {
/* send nothing for qop == "" */
}
/* Add the response... What to calculate against... */
if (!rc_avpair_add(rh, &send, attrs[A_DIGEST_RESPONSE].v,
_cred->response.s, _cred->response.len, 0)) {
LM_ERR("unable to add Digest-Response attribute\n");
goto err;
}
/* Indicate the service type, Authenticate only in our case */
service = vals[V_SIP_SESSION].v;
if (!rc_avpair_add(rh, &send, attrs[A_SERVICE_TYPE].v, &service, -1, 0)) {
LM_ERR("unable to add Service-Type attribute\n");
goto err;
}
/* Add SIP URI as a check item */
if (!rc_avpair_add(rh,&send,attrs[A_SIP_URI_USER].v,user.s,user.len,0)) {
LM_ERR("unable to add Sip-URI-User attribute\n");
goto err;
}
if (attrs[A_CISCO_AVPAIR].n != NULL) {
if (add_cisco_vsa(&send, _msg)) {
goto err;
}
}
/* Add extra attributes */
extra_cnt = extra2strar(auth_extra, _msg, val_arr);
if (extra_cnt == -1) {
LM_ERR("in getting values of extra attributes\n");
goto err;
}
offset = A_MAX;
for (i = 0; i < extra_cnt; i++) {
if (val_arr[i].len == -1) {
/* Add integer attribute */
ADD_EXTRA_AVPAIR(attrs, offset+i,
&(val_arr[i].s), val_arr[i].len );
} else {
/* Add string attribute */
ADD_EXTRA_AVPAIR(attrs, offset+i,
val_arr[i].s, val_arr[i].len );
}
}
/* Send request */
if ((i = rc_auth(rh, SIP_PORT, send, &received, msg)) == OK_RC) {
LM_DBG("Success\n");
rc_avpair_free(send);
send = 0;
generate_avps(received);
rc_avpair_free(received);
return 1;
} else {
#ifdef REJECT_RC
if (i == REJECT_RC) {
LM_DBG("Failure\n");
goto err;
}
#endif
LM_ERR("authorization failed. RC auth returned %d\n", i);
}
err:
if (send) rc_avpair_free(send);
if (received) rc_avpair_free(received);
return -1;
}
/*ARGSUSED*/
void
process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm,
verto_ctx *vctx, loop_respond_fn respond, void *arg)
{
krb5_error_code errcode;
krb5_timestamp rtime;
unsigned int s_flags = 0;
krb5_data encoded_req_body;
krb5_enctype useenctype;
struct as_req_state *state;
state = k5alloc(sizeof(*state), &errcode);
if (state == NULL) {
(*respond)(arg, errcode, NULL);
return;
}
state->respond = respond;
state->arg = arg;
state->request = request;
state->req_pkt = req_pkt;
state->from = from;
state->active_realm = kdc_active_realm;
errcode = kdc_make_rstate(kdc_active_realm, &state->rstate);
if (errcode != 0) {
(*respond)(arg, errcode, NULL);
return;
}
if (state->request->msg_type != KRB5_AS_REQ) {
state->status = "msg_type mismatch";
errcode = KRB5_BADMSGTYPE;
goto errout;
}
if (fetch_asn1_field((unsigned char *) req_pkt->data,
1, 4, &encoded_req_body) != 0) {
errcode = ASN1_BAD_ID;
state->status = "Finding req_body";
goto errout;
}
errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL,
state->rstate, &state->inner_body);
if (errcode) {
state->status = "error decoding FAST";
goto errout;
}
if (state->inner_body == NULL) {
/* Not a FAST request; copy the encoded request body. */
errcode = krb5_copy_data(kdc_context, &encoded_req_body,
&state->inner_body);
if (errcode) {
state->status = "storing req body";
goto errout;
}
}
state->rock.request = state->request;
state->rock.inner_body = state->inner_body;
state->rock.rstate = state->rstate;
state->rock.vctx = vctx;
if (!state->request->client) {
state->status = "NULL_CLIENT";
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto errout;
}
if ((errcode = krb5_unparse_name(kdc_context,
state->request->client,
&state->cname))) {
state->status = "UNPARSING_CLIENT";
goto errout;
}
limit_string(state->cname);
if (!state->request->server) {
state->status = "NULL_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto errout;
}
if ((errcode = krb5_unparse_name(kdc_context,
state->request->server,
&state->sname))) {
state->status = "UNPARSING_SERVER";
goto errout;
}
limit_string(state->sname);
/*
* We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
* to the backend to return naming information in lieu
* of cross realm TGS entries.
*/
setflag(state->c_flags, KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY);
/*
* Note that according to the referrals draft we should
* always canonicalize enterprise principal names.
*/
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE) ||
state->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
setflag(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(state->c_flags, KRB5_KDB_FLAG_ALIAS_OK);
}
if (include_pac_p(kdc_context, state->request)) {
setflag(state->c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
}
errcode = krb5_db_get_principal(kdc_context, state->request->client,
state->c_flags, &state->client);
if (errcode == KRB5_KDB_CANTLOCK_DB)
errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (errcode == KRB5_KDB_NOENTRY) {
state->status = "CLIENT_NOT_FOUND";
if (vague_errors)
errcode = KRB5KRB_ERR_GENERIC;
else
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
goto errout;
} else if (errcode) {
state->status = "LOOKING_UP_CLIENT";
goto errout;
}
state->rock.client = state->client;
/*
* If the backend returned a principal that is not in the local
* realm, then we need to refer the client to that realm.
*/
if (!is_local_principal(kdc_active_realm, state->client->princ)) {
/* Entry is a referral to another realm */
state->status = "REFERRAL";
errcode = KRB5KDC_ERR_WRONG_REALM;
goto errout;
}
s_flags = 0;
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
errcode = krb5_db_get_principal(kdc_context, state->request->server,
s_flags, &state->server);
if (errcode == KRB5_KDB_CANTLOCK_DB)
errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
if (errcode == KRB5_KDB_NOENTRY) {
state->status = "SERVER_NOT_FOUND";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto errout;
} else if (errcode) {
state->status = "LOOKING_UP_SERVER";
goto errout;
}
if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) {
state->status = "TIMEOFDAY";
goto errout;
}
state->authtime = state->kdc_time; /* for audit_as_request() */
if ((errcode = validate_as_request(kdc_active_realm,
state->request, *state->client,
*state->server, state->kdc_time,
&state->status, &state->e_data))) {
if (!state->status)
state->status = "UNKNOWN_REASON";
errcode += ERROR_TABLE_BASE_krb5;
goto errout;
}
/*
* Select the keytype for the ticket session key.
*/
if ((useenctype = select_session_keytype(kdc_active_realm, state->server,
state->request->nktypes,
state->request->ktype)) == 0) {
/* unsupported ktype */
state->status = "BAD_ENCRYPTION_TYPE";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto errout;
}
if ((errcode = krb5_c_make_random_key(kdc_context, useenctype,
&state->session_key))) {
state->status = "RANDOM_KEY_FAILED";
goto errout;
}
/*
* Canonicalization is only effective if we are issuing a TGT
* (the intention is to allow support for Windows "short" realm
* aliases, nothing more).
*/
if (isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE) &&
krb5_is_tgs_principal(state->request->server) &&
krb5_is_tgs_principal(state->server->princ)) {
state->ticket_reply.server = state->server->princ;
} else {
state->ticket_reply.server = state->request->server;
}
state->enc_tkt_reply.flags = 0;
state->enc_tkt_reply.times.authtime = state->authtime;
setflag(state->enc_tkt_reply.flags, TKT_FLG_INITIAL);
setflag(state->enc_tkt_reply.flags, TKT_FLG_ENC_PA_REP);
/*
* It should be noted that local policy may affect the
* processing of any of these flags. For example, some
* realms may refuse to issue renewable tickets
*/
if (isflagset(state->request->kdc_options, KDC_OPT_FORWARDABLE))
setflag(state->enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
if (isflagset(state->request->kdc_options, KDC_OPT_PROXIABLE))
setflag(state->enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
if (isflagset(state->request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
setflag(state->enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
state->enc_tkt_reply.session = &state->session_key;
if (isflagset(state->c_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
state->client_princ = *(state->client->princ);
} else {
state->client_princ = *(state->request->client);
/* The realm is always canonicalized */
state->client_princ.realm = state->client->princ->realm;
}
state->enc_tkt_reply.client = &state->client_princ;
state->enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
state->enc_tkt_reply.transited.tr_contents = empty_string;
if (isflagset(state->request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(state->enc_tkt_reply.flags, TKT_FLG_POSTDATED);
setflag(state->enc_tkt_reply.flags, TKT_FLG_INVALID);
state->enc_tkt_reply.times.starttime = state->request->from;
} else
state->enc_tkt_reply.times.starttime = state->kdc_time;
kdc_get_ticket_endtime(kdc_active_realm,
state->enc_tkt_reply.times.starttime,
kdc_infinity, state->request->till, state->client,
state->server, &state->enc_tkt_reply.times.endtime);
if (isflagset(state->request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
!isflagset(state->client->attributes, KRB5_KDB_DISALLOW_RENEWABLE) &&
(state->enc_tkt_reply.times.endtime < state->request->till)) {
/* we set the RENEWABLE option for later processing */
setflag(state->request->kdc_options, KDC_OPT_RENEWABLE);
state->request->rtime = state->request->till;
}
rtime = (state->request->rtime == 0) ? kdc_infinity :
state->request->rtime;
if (isflagset(state->request->kdc_options, KDC_OPT_RENEWABLE)) {
/*
* XXX Should we squelch the output renew_till to be no
* earlier than the endtime of the ticket?
*/
setflag(state->enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
state->enc_tkt_reply.times.renew_till =
min(rtime, state->enc_tkt_reply.times.starttime +
min(state->client->max_renewable_life,
min(state->server->max_renewable_life,
max_renewable_life_for_realm)));
} else
state->enc_tkt_reply.times.renew_till = 0; /* XXX */
/*
* starttime is optional, and treated as authtime if not present.
* so we can nuke it if it matches
*/
if (state->enc_tkt_reply.times.starttime ==
state->enc_tkt_reply.times.authtime)
state->enc_tkt_reply.times.starttime = 0;
state->enc_tkt_reply.caddrs = state->request->addresses;
state->enc_tkt_reply.authorization_data = 0;
/* If anonymous requests are being used, adjust the realm of the client
* principal. */
if (isflagset(state->request->kdc_options, KDC_OPT_REQUEST_ANONYMOUS)) {
if (!krb5_principal_compare_any_realm(kdc_context,
state->request->client,
krb5_anonymous_principal())) {
errcode = KRB5KDC_ERR_BADOPTION;
state->status = "Anonymous requested but anonymous "
"principal not used.";
goto errout;
}
setflag(state->enc_tkt_reply.flags, TKT_FLG_ANONYMOUS);
krb5_free_principal(kdc_context, state->request->client);
state->request->client = NULL;
errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
&state->request->client);
if (errcode) {
state->status = "Copying anonymous principal";
goto errout;
}
state->enc_tkt_reply.client = state->request->client;
setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
}
/*
* Check the preauthentication if it is there.
*/
if (state->request->padata) {
check_padata(kdc_context, &state->rock, state->req_pkt,
state->request, &state->enc_tkt_reply, &state->pa_context,
&state->e_data, &state->typed_e_data, finish_preauth,
state);
} else
finish_preauth(state, 0);
return;
errout:
finish_process_as_req(state, errcode);
}
/*
* Message contained some contacts, but record with same address
* of record was not found so we have to create a new record
* and insert all contacts from the message that have expires
* > 0
*/
static inline int insert(struct sip_msg* _m, str* aor, contact_t* _c, udomain_t* _d, str* _u, str *ua, str* aor_filter)
{
urecord_t* r = 0;
ucontact_t* c;
int e, cseq;
qvalue_t q;
str callid;
unsigned int flags;
str *recv, *inst;
int num;
if (isflagset(_m, save_nat_flag) == 1) flags = FL_NAT;
else flags = FL_NONE;
flags |= mem_only;
num = 0;
while(_c) {
if (calc_contact_expires(_m, _c->expires, &e) < 0) {
LOG(L_ERR, "insert(): Error while calculating expires\n");
return -1;
}
/* Skip contacts with zero expires */
if (e == 0) goto skip;
if (max_contacts && (num >= max_contacts)) {
rerrno = R_TOO_MANY;
ul.delete_urecord(_d, _u);
return -1;
}
num++;
if (r == 0) {
if (ul.insert_urecord(_d, _u, &r) < 0) {
rerrno = R_UL_NEW_R;
LOG(L_ERR, "insert(): Can't insert new record structure\n");
return -2;
}
}
/* Calculate q value of the contact */
if (calc_contact_q(_c->q, &q) < 0) {
LOG(L_ERR, "insert(): Error while calculating q\n");
ul.delete_urecord(_d, _u);
return -3;
}
/* Get callid of the message */
callid = _m->callid->body;
trim_trailing(&callid);
/* Get CSeq number of the message */
if (str2int(&get_cseq(_m)->number, (unsigned int*)&cseq) < 0) {
rerrno = R_INV_CSEQ;
LOG(L_ERR, "insert(): Error while converting cseq number\n");
ul.delete_urecord(_d, _u);
return -4;
}
if (_c->received) {
recv = &_c->received->body;
} else if (flags & FL_NAT) {
if (create_rcv_uri(&recv, _m) < 0) {
ERR("Error while creating rcv URI\n");
ul.delete_urecord(_d, _u);
return -4;
}
} else {
recv = 0;
}
if(_c->instance) {
inst = &_c->instance->body;
} else {
inst = 0;
}
if (ul.insert_ucontact(r, aor, &_c->uri, e, q, &callid, cseq, flags, &c, ua, recv,
_m->rcv.bind_address, inst) < 0) {
rerrno = R_UL_INS_C;
LOG(L_ERR, "insert(): Error while inserting contact\n");
ul.delete_urecord(_d, _u);
return -5;
}
skip:
_c = get_next_contact(_c);
}
if (r) {
if (!r->contacts) {
ul.delete_urecord(_d, _u);
} else {
build_contact(r->contacts, aor_filter);
}
}
return 0;
}
/*
* Message contained some contacts and appropriate
* record was found, so we have to walk through
* all contacts and do the following:
* 1) If contact in usrloc doesn't exists and
* expires > 0, insert new contact
* 2) If contact in usrloc exists and expires
* > 0, update the contact
* 3) If contact in usrloc exists and expires
* == 0, delete contact
*/
static inline int update(struct sip_msg* _m, urecord_t* _r, contact_t* _c, str* _ua)
{
ucontact_t* c, *c2;
str callid;
int cseq, e, ret;
int set, reset;
qvalue_t q;
unsigned int nated;
str* recv;
int_str rcv_avp;
int_str val;
rcv_avp.n=rcv_avp_no;
if (isflagset(_m, nat_flag) == 1) {
nated = FL_NAT;
} else {
nated = FL_NONE;
}
if (max_contacts) {
ret = test_max_contacts(_m, _r, _c);
if (ret != 0) {
build_contact(_r->contacts);
return -1;
}
}
_c = get_first_contact(_m);
while(_c) {
if (calc_contact_expires(_m, _c->expires, &e) < 0) {
build_contact(_r->contacts);
LOG(L_ERR, "update(): Error while calculating expires\n");
return -1;
}
if (ul.get_ucontact(_r, &_c->uri, &c) > 0) {
/* Contact not found */
if (e != 0) {
/* Calculate q value of the contact */
if (calc_contact_q(_c->q, &q) < 0) {
LOG(L_ERR, "update(): Error while calculating q\n");
return -2;
}
/* Get callid of the message */
callid = _m->callid->body;
trim_trailing(&callid);
/* Get CSeq number of the message */
if (str2int(&(((struct cseq_body*)_m->cseq->parsed)->number),
(unsigned int*) &cseq) < 0) {
rerrno = R_INV_CSEQ;
LOG(L_ERR, "update(): Error while converting cseq number\n");
return -3;
}
if (_c->received) {
recv = &_c->received->body;
} else if (search_first_avp(0, rcv_avp, &val)) {
recv = val.s;
} else {
recv = 0;
}
if (ul.insert_ucontact(_r, &_c->uri, e, q, &callid, cseq,
nated | mem_only,
&c2, _ua, recv) < 0) {
rerrno = R_UL_INS_C;
LOG(L_ERR, "update(): Error while inserting contact\n");
return -4;
}
}
} else {
if (e == 0) {
if (mem_only) {
c->flags |= FL_MEM;
} else {
c->flags &= ~FL_MEM;
}
if (ul.delete_ucontact(_r, c) < 0) {
rerrno = R_UL_DEL_C;
LOG(L_ERR, "update(): Error while deleting contact\n");
return -5;
}
} else {
/* Calculate q value of the contact */
if (calc_contact_q(_c->q, &q) < 0) {
LOG(L_ERR, "update(): Error while calculating q\n");
return -6;
}
/* Get callid of the message */
callid = _m->callid->body;
trim_trailing(&callid);
/* Get CSeq number of the message */
if (str2int(&(((struct cseq_body*)_m->cseq->parsed)->number), (unsigned int*)&cseq)
< 0) {
rerrno = R_INV_CSEQ;
LOG(L_ERR, "update(): Error while converting cseq number\n");
return -7;
}
if (_c->received) {
recv = &_c->received->body;
} else if (search_first_avp(0, rcv_avp, &val)) {
recv = val.s;
} else {
recv = 0;
}
set = nated | mem_only;
reset = ~(nated | mem_only) & (FL_NAT | FL_MEM);
if (ul.update_ucontact(c, e, q, &callid, cseq, set, reset, _ua, recv) < 0) {
rerrno = R_UL_UPD_C;
LOG(L_ERR, "update(): Error while updating contact\n");
return -8;
}
if (desc_time_order) {
move_on_top(_r, c);
}
}
}
_c = get_next_contact(_c);
}
return 0;
}
/*
* Message contained some contacts and appropriate
* record was found, so we have to walk through
* all contacts and do the following:
* 1) If contact in usrloc doesn't exists and
* expires > 0, insert new contact
* 2) If contact in usrloc exists and expires
* > 0, update the contact
* 3) If contact in usrloc exists and expires
* == 0, delete contact
*/
static inline int update(struct sip_msg* _m, urecord_t* _r, str* aor, contact_t* _c, str* _ua, str* aor_filter)
{
ucontact_t* c, *c2;
str callid;
int cseq, e, ret;
int set, reset;
qvalue_t q;
unsigned int nated;
str* recv, *inst;
if (isflagset(_m, save_nat_flag) == 1) {
nated = FL_NAT;
} else {
nated = FL_NONE;
}
if (max_contacts) {
ret = test_max_contacts(_m, _r, _c);
if (ret != 0) {
build_contact(_r->contacts, aor_filter);
return -1;
}
}
_c = get_first_contact(_m);
while(_c) {
if (calc_contact_expires(_m, _c->expires, &e) < 0) {
build_contact(_r->contacts, aor_filter);
LOG(L_ERR, "update(): Error while calculating expires\n");
return -1;
}
if(_c->instance) {
inst = &_c->instance->body;
} else {
inst = 0;
}
if (ul.get_ucontact_by_instance(_r, &_c->uri, inst, &c) > 0) {
/* Contact not found */
if (e != 0) {
/* Calculate q value of the contact */
if (calc_contact_q(_c->q, &q) < 0) {
LOG(L_ERR, "update(): Error while calculating q\n");
return -2;
}
/* Get callid of the message */
callid = _m->callid->body;
trim_trailing(&callid);
/* Get CSeq number of the message */
if (str2int(&(((struct cseq_body*)_m->cseq->parsed)->number),
(unsigned int*) &cseq) < 0) {
rerrno = R_INV_CSEQ;
LOG(L_ERR, "update(): Error while converting cseq number\n");
return -3;
}
if (_c->received) {
recv = &_c->received->body;
} else if (nated & FL_NAT) {
if (create_rcv_uri(&recv, _m) < 0) {
ERR("Error while creating rcv URI\n");
rerrno = R_UL_INS_C;
return -4;
}
} else {
recv = 0;
}
if (ul.insert_ucontact(_r, aor, &_c->uri, e, q, &callid, cseq,
nated | mem_only,
&c2, _ua, recv,
_m->rcv.bind_address,
inst) < 0) {
rerrno = R_UL_INS_C;
LOG(L_ERR, "update(): Error while inserting contact\n");
return -4;
}
}
} else {
if (e == 0) {
if (mem_only) {
c->flags |= FL_MEM;
} else {
c->flags &= ~FL_MEM;
}
if (ul.delete_ucontact(_r, c) < 0) {
rerrno = R_UL_DEL_C;
LOG(L_ERR, "update(): Error while deleting contact\n");
return -5;
}
} else {
/* Calculate q value of the contact */
if (calc_contact_q(_c->q, &q) < 0) {
LOG(L_ERR, "update(): Error while calculating q\n");
return -6;
}
/* Get callid of the message */
callid = _m->callid->body;
trim_trailing(&callid);
/* Get CSeq number of the message */
if (str2int(&(((struct cseq_body*)_m->cseq->parsed)->number), (unsigned int*)&cseq)
< 0) {
rerrno = R_INV_CSEQ;
LOG(L_ERR, "update(): Error while converting cseq number\n");
return -7;
}
if (_c->received) {
recv = &_c->received->body;
} else if (nated & FL_NAT) {
if (create_rcv_uri(&recv, _m) < 0) {
ERR("Error while creating rcv URI\n");
rerrno = R_UL_UPD_C;
return -4;
}
} else {
recv = 0;
}
set = nated | mem_only;
reset = ~(nated | mem_only) & (FL_NAT | FL_MEM);
if (ul.update_ucontact(c, &_c->uri, aor, e, q, &callid, cseq, set, reset, _ua, recv, _m->rcv.bind_address, inst) < 0) {
rerrno = R_UL_UPD_C;
LOG(L_ERR, "update(): Error while updating contact\n");
return -8;
}
}
}
_c = get_next_contact(_c);
}
return 0;
}
/* ret= 0! if action -> end of list(e.g DROP),
> 0 to continue processing next actions
and <0 on error */
int do_action(struct action* a, struct sip_msg* msg)
{
int ret;
int v;
int sec,usec;
union sockaddr_union* to;
struct proxy_l* p;
char* tmp;
char *new_uri, *end, *crt;
int len,i;
int user = 0;
int expires = 0;
str vals[5];
str result;
struct sip_uri uri, next_hop;
struct sip_uri *u;
unsigned short port;
int cmatch;
struct action *aitem;
struct action *adefault;
pv_spec_t *spec;
pv_elem_p model;
pv_value_t val;
pv_elem_t *pve;
str name_s;
struct timeval start;
int end_time;
action_elem_t *route_params_bak;
int route_params_number_bak;
/* reset the value of error to E_UNSPEC so avoid unknowledgable
functions to return with error (status<0) and not setting it
leaving there previous error; cache the previous value though
for functions which want to process it */
prev_ser_error=ser_error;
ser_error=E_UNSPEC;
start_expire_timer(start,execmsgthreshold);
ret=E_BUG;
switch ((unsigned char)a->type){
case DROP_T:
script_trace("core", "drop", msg, a->line) ;
action_flags |= ACT_FL_DROP;
case EXIT_T:
script_trace("core", "exit", msg, a->line) ;
ret=0;
action_flags |= ACT_FL_EXIT;
break;
case RETURN_T:
script_trace("core", "return", msg, a->line) ;
if (a->elem[0].type == SCRIPTVAR_ST)
{
spec = (pv_spec_t*)a->elem[0].u.data;
if(pv_get_spec_value(msg, spec, &val)!=0
|| (val.flags&PV_VAL_NULL))
{
ret=-1;
} else {
if(!(val.flags&PV_VAL_INT))
ret = 1;
else
ret = val.ri;
}
pv_value_destroy(&val);
} else {
ret=a->elem[0].u.number;
}
action_flags |= ACT_FL_RETURN;
break;
case FORWARD_T:
script_trace("core", "forward", msg, a->line) ;
if (a->elem[0].type==NOSUBTYPE){
/* parse uri and build a proxy */
if (msg->dst_uri.len) {
ret = parse_uri(msg->dst_uri.s, msg->dst_uri.len,
&next_hop);
u = &next_hop;
} else {
ret = parse_sip_msg_uri(msg);
u = &msg->parsed_uri;
}
if (ret<0) {
LM_ERR("forward: bad_uri dropping packet\n");
break;
}
/* create a temporary proxy*/
p=mk_proxy(u->maddr_val.len?&u->maddr_val:&u->host,
u->port_no, u->proto, (u->type==SIPS_URI_T)?1:0 );
if (p==0){
LM_ERR("bad host name in uri, dropping packet\n");
ret=E_BAD_ADDRESS;
goto error_fwd_uri;
}
ret=forward_request(msg, p);
free_proxy(p); /* frees only p content, not p itself */
pkg_free(p);
if (ret==0) ret=1;
}else if ((a->elem[0].type==PROXY_ST)) {
ret=forward_request(msg,(struct proxy_l*)a->elem[0].u.data);
if (ret==0) ret=1;
}else{
LM_ALERT("BUG in forward() types %d, %d\n",
a->elem[0].type, a->elem[1].type);
ret=E_BUG;
}
break;
case SEND_T:
script_trace("core", "send", msg, a->line) ;
if (a->elem[0].type!= PROXY_ST){
LM_ALERT("BUG in send() type %d\n", a->elem[0].type);
ret=E_BUG;
break;
}
if (a->elem[1].u.data) {
if (a->elem[1].type != SCRIPTVAR_ELEM_ST){
LM_ALERT("BUG in send() header type %d\n",a->elem[1].type);
ret=E_BUG;
break;
} else {
pve = (pv_elem_t *)a->elem[1].u.data;
}
} else {
pve = NULL;
}
to=(union sockaddr_union*)
pkg_malloc(sizeof(union sockaddr_union));
if (to==0){
LM_ERR("memory allocation failure\n");
ret=E_OUT_OF_MEM;
break;
}
p=(struct proxy_l*)a->elem[0].u.data;
ret=hostent2su(to, &p->host, p->addr_idx,
(p->port)?p->port:SIP_PORT );
if (ret==0){
if (pve) {
if ( pv_printf_s(msg, pve, &name_s)!=0 ||
name_s.len == 0 || name_s.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_UNSPEC;
break;
}
/* build new msg */
tmp = pkg_malloc(msg->len + name_s.len);
if (!tmp) {
LM_ERR("memory allocation failure\n");
ret = E_OUT_OF_MEM;
break;
}
LM_DBG("searching for first line %d\n",
msg->first_line.len);
/* search first line of previous msg */
/* copy headers */
len = msg->first_line.len;
memcpy(tmp, msg->buf, len);
memcpy(tmp + len, name_s.s, name_s.len);
memcpy(tmp + len + name_s.len,
msg->buf + len, msg->len - len);
ret = msg_send(0/*send_sock*/, p->proto, to, 0/*id*/,
tmp, msg->len + name_s.len);
pkg_free(tmp);
} else {
ret = msg_send(0/*send_sock*/, p->proto, to, 0/*id*/,
msg->buf, msg->len);
}
if (ret!=0 && p->host.h_addr_list[p->addr_idx+1])
p->addr_idx++;
}
pkg_free(to);
if (ret==0)
ret=1;
break;
case LOG_T:
script_trace("core", "log", msg, a->line) ;
if ((a->elem[0].type!=NUMBER_ST)|(a->elem[1].type!=STRING_ST)){
LM_ALERT("BUG in log() types %d, %d\n",
a->elem[0].type, a->elem[1].type);
ret=E_BUG;
break;
}
LM_GEN1(a->elem[0].u.number, "%s", a->elem[1].u.string);
ret=1;
break;
case APPEND_BRANCH_T:
script_trace("core", "append_branch", msg, a->line) ;
if ((a->elem[0].type!=STR_ST)) {
LM_ALERT("BUG in append_branch %d\n",
a->elem[0].type );
ret=E_BUG;
break;
}
if (a->elem[0].u.s.s==NULL) {
ret = append_branch(msg, 0, &msg->dst_uri, &msg->path_vec,
get_ruri_q(), getb0flags(), msg->force_send_socket);
/* reset all branch info */
msg->force_send_socket = 0;
setb0flags(0);
set_ruri_q(Q_UNSPECIFIED);
if(msg->dst_uri.s!=0)
pkg_free(msg->dst_uri.s);
msg->dst_uri.s = 0;
msg->dst_uri.len = 0;
if(msg->path_vec.s!=0)
pkg_free(msg->path_vec.s);
msg->path_vec.s = 0;
msg->path_vec.len = 0;
} else {
ret = append_branch(msg, &a->elem[0].u.s, &msg->dst_uri,
&msg->path_vec, a->elem[1].u.number, getb0flags(),
msg->force_send_socket);
}
break;
case REMOVE_BRANCH_T:
script_trace("core", "remove_branch", msg, a->line) ;
if (a->elem[0].type == SCRIPTVAR_ST) {
spec = (pv_spec_t*)a->elem[0].u.data;
if( pv_get_spec_value(msg, spec, &val)!=0
|| (val.flags&PV_VAL_NULL) || !(val.flags&PV_VAL_INT) ) {
ret=-1;
break;
}
i = val.ri;
} else {
i=a->elem[0].u.number;
}
ret = (remove_branch((unsigned int)i)==0)?1:-1;
break;
case LEN_GT_T:
script_trace("core", "len_gt", msg, a->line) ;
if (a->elem[0].type!=NUMBER_ST) {
LM_ALERT("BUG in len_gt type %d\n",
a->elem[0].type );
ret=E_BUG;
break;
}
ret = (msg->len >= (unsigned int)a->elem[0].u.number) ? 1 : -1;
break;
case SET_DEBUG_T:
script_trace("core", "set_debug", msg, a->line) ;
if (a->elem[0].type==NUMBER_ST)
set_proc_debug_level(a->elem[0].u.number);
else
reset_proc_debug_level();
ret = 1;
break;
case SETFLAG_T:
script_trace("core", "setflag", msg, a->line) ;
ret = setflag( msg, a->elem[0].u.number );
break;
case RESETFLAG_T:
script_trace("core", "resetflag", msg, a->line) ;
ret = resetflag( msg, a->elem[0].u.number );
break;
case ISFLAGSET_T:
script_trace("core", "isflagset", msg, a->line) ;
ret = isflagset( msg, a->elem[0].u.number );
break;
case SETSFLAG_T:
script_trace("core", "setsflag", msg, a->line) ;
ret = setsflag( a->elem[0].u.number );
break;
case RESETSFLAG_T:
script_trace("core", "resetsflag", msg, a->line) ;
ret = resetsflag( a->elem[0].u.number );
break;
case ISSFLAGSET_T:
script_trace("core", "issflagset", msg, a->line) ;
ret = issflagset( a->elem[0].u.number );
break;
case SETBFLAG_T:
script_trace("core", "setbflag", msg, a->line) ;
ret = setbflag( a->elem[0].u.number, a->elem[1].u.number );
break;
case RESETBFLAG_T:
script_trace("core", "resetbflag", msg, a->line) ;
ret = resetbflag( a->elem[0].u.number, a->elem[1].u.number );
break;
case ISBFLAGSET_T:
script_trace("core", "isbflagset", msg, a->line) ;
ret = isbflagset( a->elem[0].u.number, a->elem[1].u.number );
break;
case ERROR_T:
script_trace("core", "error", msg, a->line) ;
if ((a->elem[0].type!=STRING_ST)|(a->elem[1].type!=STRING_ST)){
LM_ALERT("BUG in error() types %d, %d\n",
a->elem[0].type, a->elem[1].type);
ret=E_BUG;
break;
}
LM_ERR("error(\"%s\", \"%s\") not implemented yet\n",
a->elem[0].u.string, a->elem[1].u.string);
ret=1;
break;
case ROUTE_T:
script_trace("route", rlist[a->elem[0].u.number].name, msg, a->line) ;
if (a->elem[0].type!=NUMBER_ST){
LM_ALERT("BUG in route() type %d\n",
a->elem[0].type);
ret=E_BUG;
break;
}
if ((a->elem[0].u.number>RT_NO)||(a->elem[0].u.number<0)){
LM_ALERT("BUG - invalid routing table number in"
"route(%lu)\n", a->elem[0].u.number);
ret=E_CFG;
break;
}
/* check if the route has parameters */
if (a->elem[1].type != 0) {
if (a->elem[1].type != NUMBER_ST || a->elem[2].type != SCRIPTVAR_ELEM_ST) {
LM_ALERT("BUG in route() type %d/%d\n",
a->elem[1].type, a->elem[2].type);
ret=E_BUG;
break;
}
route_params_bak = route_params;
route_params = (action_elem_t *)a->elem[2].u.data;
route_params_number_bak = route_params_number;
route_params_number = a->elem[1].u.number;
return_code=run_actions(rlist[a->elem[0].u.number].a, msg);
route_params = route_params_bak;
route_params_number = route_params_number_bak;
} else {
return_code=run_actions(rlist[a->elem[0].u.number].a, msg);
}
ret=return_code;
break;
case REVERT_URI_T:
script_trace("core", "revert_uri", msg, a->line) ;
if (msg->new_uri.s) {
pkg_free(msg->new_uri.s);
msg->new_uri.len=0;
msg->new_uri.s=0;
msg->parsed_uri_ok=0; /* invalidate current parsed uri*/
};
ret=1;
break;
case SET_HOST_T:
case SET_HOSTPORT_T:
case SET_USER_T:
case SET_USERPASS_T:
case SET_PORT_T:
case SET_URI_T:
case PREFIX_T:
case STRIP_T:
case STRIP_TAIL_T:
script_trace("core",
(unsigned char)a->type == SET_HOST_T ? "set_host" :
(unsigned char)a->type == SET_HOSTPORT_T ? "set_hostport" :
(unsigned char)a->type == SET_USER_T ? "set_user" :
(unsigned char)a->type == SET_USERPASS_T ? "set_userpass" :
(unsigned char)a->type == SET_PORT_T ? "set_port" :
(unsigned char)a->type == SET_URI_T ? "set_uri" :
(unsigned char)a->type == PREFIX_T ? "prefix" :
(unsigned char)a->type == STRIP_T ? "strip" : "strip_tail",
msg, a->line);
user=0;
if (a->type==STRIP_T || a->type==STRIP_TAIL_T) {
if (a->elem[0].type!=NUMBER_ST) {
LM_ALERT("BUG in set*() type %d\n",
a->elem[0].type);
break;
}
} else if (a->elem[0].type!=STR_ST){
LM_ALERT("BUG in set*() type %d\n",
a->elem[0].type);
ret=E_BUG;
break;
}
if (a->type==SET_URI_T) {
if (set_ruri( msg, &a->elem[0].u.s) ) {
LM_ERR("failed to set new RURI\n");
ret=E_OUT_OF_MEM;
break;
}
ret=1;
break;
}
if (msg->new_uri.s) {
tmp=msg->new_uri.s;
len=msg->new_uri.len;
}else{
tmp=msg->first_line.u.request.uri.s;
len=msg->first_line.u.request.uri.len;
}
if (parse_uri(tmp, len, &uri)<0){
LM_ERR("bad uri <%.*s>, dropping packet\n", len, tmp);
ret=E_UNSPEC;
break;
}
new_uri=pkg_malloc(MAX_URI_SIZE);
if (new_uri==0){
LM_ERR("memory allocation failure\n");
ret=E_OUT_OF_MEM;
break;
}
end=new_uri+MAX_URI_SIZE;
crt=new_uri;
/* begin copying */
len = (uri.user.len?uri.user.s:uri.host.s) - tmp;
if (crt+len>end) goto error_uri;
memcpy(crt,tmp,len);crt+=len;
if (a->type==PREFIX_T) {
if (crt+a->elem[0].u.s.len>end) goto error_uri;
memcpy( crt, a->elem[0].u.s.s, a->elem[0].u.s.len);
crt+=a->elem[0].u.s.len;
/* whatever we had before, with prefix we have username
now */
user=1;
}
if ((a->type==SET_USER_T)||(a->type==SET_USERPASS_T)) {
tmp=a->elem[0].u.s.s;
len=a->elem[0].u.s.len;
} else if (a->type==STRIP_T) {
if (a->elem[0].u.number>uri.user.len) {
LM_WARN("too long strip asked; "
" deleting username: %lu of <%.*s>\n",
a->elem[0].u.number, uri.user.len, uri.user.s);
len=0;
} else if (a->elem[0].u.number==uri.user.len) {
len=0;
} else {
tmp=uri.user.s + a->elem[0].u.number;
len=uri.user.len - a->elem[0].u.number;
}
} else if (a->type==STRIP_TAIL_T) {
if (a->elem[0].u.number>uri.user.len) {
LM_WARN("too long strip_tail asked;"
" deleting username: %lu of <%.*s>\n",
a->elem[0].u.number, uri.user.len, uri.user.s);
len=0;
} else if (a->elem[0].u.number==uri.user.len) {
len=0;
} else {
tmp=uri.user.s;
len=uri.user.len - a->elem[0].u.number;
}
} else {
tmp=uri.user.s;
len=uri.user.len;
}
if (len){
if(crt+len>end) goto error_uri;
memcpy(crt,tmp,len);crt+=len;
user=1; /* we have an user field so mark it */
}
if (a->type==SET_USERPASS_T) tmp=0;
else tmp=uri.passwd.s;
/* passwd */
if (tmp){
len=uri.passwd.len; if(crt+len+1>end) goto error_uri;
*crt=':'; crt++;
memcpy(crt,tmp,len);crt+=len;
}
/* host */
if (user || tmp){ /* add @ */
if(crt+1>end) goto error_uri;
*crt='@'; crt++;
}
if ((a->type==SET_HOST_T) ||(a->type==SET_HOSTPORT_T)) {
tmp=a->elem[0].u.s.s;
len=a->elem[0].u.s.len;
} else {
tmp=uri.host.s;
len = uri.host.len;
}
if (tmp){
if(crt+len>end) goto error_uri;
memcpy(crt,tmp,len);crt+=len;
}
/* port */
if (a->type==SET_HOSTPORT_T) tmp=0;
else if (a->type==SET_PORT_T) {
tmp=a->elem[0].u.s.s;
len=a->elem[0].u.s.len;
} else {
tmp=uri.port.s;
len = uri.port.len;
}
if (tmp && len>0){
if(crt+len+1>end) goto error_uri;
*crt=':'; crt++;
memcpy(crt,tmp,len);crt+=len;
}
/* params */
tmp=uri.params.s;
if (tmp){
/* include in param string the starting ';' */
len=uri.params.len+1;
tmp--;
if(crt+len+1>end) goto error_uri;
/* if a maddr param is present, strip it out */
if (uri.maddr.len &&
(a->type==SET_HOSTPORT_T || a->type==SET_HOST_T)) {
memcpy(crt,tmp,uri.maddr.s-tmp-1);
crt+=uri.maddr.s-tmp-1;
memcpy(crt,uri.maddr_val.s+uri.maddr_val.len,
tmp+len-uri.maddr_val.s-uri.maddr_val.len);
crt+=tmp+len-uri.maddr_val.s-uri.maddr_val.len;
} else {
memcpy(crt,tmp,len);crt+=len;
}
}
/* headers */
tmp=uri.headers.s;
if (tmp){
len=uri.headers.len; if(crt+len+1>end) goto error_uri;
*crt='?'; crt++;
memcpy(crt,tmp,len);crt+=len;
}
*crt=0; /* null terminate the thing */
/* copy it to the msg */
if (msg->new_uri.s) pkg_free(msg->new_uri.s);
msg->new_uri.s=new_uri;
msg->new_uri.len=crt-new_uri;
msg->parsed_uri_ok=0;
ret=1;
break;
case SET_DSTURI_T:
script_trace("core", "set_dsturi", msg, a->line) ;
if (a->elem[0].type!=STR_ST){
LM_ALERT("BUG in setdsturi() type %d\n",
a->elem[0].type);
ret=E_BUG;
break;
}
if(set_dst_uri(msg, &a->elem[0].u.s)!=0)
ret = -1;
else
ret = 1;
break;
case SET_DSTHOST_T:
case SET_DSTPORT_T:
script_trace("core", (unsigned char) a->type == SET_DSTHOST_T ?
"set_dsturi" : "set_dstport", msg, a->line);
if (a->elem[0].type!=STR_ST){
LM_ALERT("BUG in domain setting type %d\n",
a->elem[0].type);
ret=E_BUG;
break;
}
tmp = msg->dst_uri.s;
len = msg->dst_uri.len;
if (tmp == NULL || len == 0) {
LM_ERR("failure - null uri\n");
ret = E_UNSPEC;
break;
}
if (a->type == SET_DSTHOST_T &&
(a->elem[0].u.s.s == NULL || a->elem[0].u.s.len == 0)) {
LM_ERR("cannot set a null uri domain\n");
break;
}
if (parse_uri(tmp, len, &uri)<0) {
LM_ERR("bad uri <%.*s>, dropping packet\n", len, tmp);
break;
}
new_uri=pkg_malloc(MAX_URI_SIZE);
if (new_uri == NULL) {
LM_ERR("memory allocation failure\n");
ret=E_OUT_OF_MEM;
break;
}
end=new_uri+MAX_URI_SIZE;
crt=new_uri;
len = (uri.user.len?uri.user.s:uri.host.s) - tmp;
if (crt+len>end) goto error_uri;
memcpy(crt,tmp,len);
crt += len;
/* user */
tmp = uri.user.s;
len = uri.user.len;
if (tmp) {
if (crt+len>end) goto error_uri;
memcpy(crt,tmp,len);
crt += len;
user = 1;
}
/* passwd */
tmp = uri.passwd.s;
len = uri.passwd.len;
if (user || tmp) {
if (crt+len+1>end) goto error_uri;
*crt++=':';
memcpy(crt, tmp, len);
crt += len;
}
/* host */
if (a->type==SET_DSTHOST_T) {
tmp = a->elem[0].u.s.s;
len = a->elem[0].u.s.len;
} else {
tmp = uri.host.s;
len = uri.host.len;
}
if (tmp) {
if (user) {
if (crt+1>end) goto error_uri;
*crt++='@';
}
if (crt+len+1>end) goto error_uri;
memcpy(crt, tmp, len);
crt += len;
}
/* port */
if (a->type==SET_DSTPORT_T) {
tmp = a->elem[0].u.s.s;
len = a->elem[0].u.s.len;
} else {
tmp = uri.port.s;
len = uri.port.len;
}
if (tmp) {
if (crt+len+1>end) goto error_uri;
*crt++=':';
memcpy(crt, tmp, len);
crt += len;
}
/* params */
tmp=uri.params.s;
if (tmp){
len=uri.params.len; if(crt+len+1>end) goto error_uri;
*crt++=';';
memcpy(crt,tmp,len);
crt += len;
}
/* headers */
tmp=uri.headers.s;
if (tmp){
len=uri.headers.len; if(crt+len+1>end) goto error_uri;
*crt++='?';
memcpy(crt,tmp,len);
crt += len;
}
*crt=0; /* null terminate the thing */
/* copy it to the msg */
pkg_free(msg->dst_uri.s);
msg->dst_uri.s=new_uri;
msg->dst_uri.len=crt-new_uri;
ret = 1;
break;
case RESET_DSTURI_T:
script_trace("core", "reset_dsturi", msg, a->line) ;
if(msg->dst_uri.s!=0)
pkg_free(msg->dst_uri.s);
msg->dst_uri.s = 0;
msg->dst_uri.len = 0;
ret = 1;
break;
case ISDSTURISET_T:
script_trace("core", "isdsturiset", msg, a->line) ;
if(msg->dst_uri.s==0 || msg->dst_uri.len<=0)
ret = -1;
else
ret = 1;
break;
case IF_T:
script_trace("core", "if", msg, a->line) ;
/* if null expr => ignore if? */
if ((a->elem[0].type==EXPR_ST)&&a->elem[0].u.data){
v=eval_expr((struct expr*)a->elem[0].u.data, msg, 0);
/* set return code to expr value */
if (v<0 || (action_flags&ACT_FL_RETURN)
|| (action_flags&ACT_FL_EXIT) ){
if (v==EXPR_DROP || (action_flags&ACT_FL_RETURN)
|| (action_flags&ACT_FL_EXIT) ){ /* hack to quit on DROP*/
ret=0;
return_code = 0;
break;
}else{
LM_WARN("error in expression (l=%d)\n", a->line);
}
}
ret=1; /*default is continue */
if (v>0) {
if ((a->elem[1].type==ACTIONS_ST)&&a->elem[1].u.data){
ret=run_action_list(
(struct action*)a->elem[1].u.data,msg );
return_code = ret;
} else return_code = v;
}else{
if ((a->elem[2].type==ACTIONS_ST)&&a->elem[2].u.data){
ret=run_action_list(
(struct action*)a->elem[2].u.data,msg);
return_code = ret;
} else return_code = v;
}
}
break;
case WHILE_T:
script_trace("core", "while", msg, a->line) ;
/* if null expr => ignore if? */
if ((a->elem[0].type==EXPR_ST)&&a->elem[0].u.data){
len = 0;
while(1)
{
if(len++ >= max_while_loops)
{
LM_INFO("max while loops are encountered\n");
break;
}
v=eval_expr((struct expr*)a->elem[0].u.data, msg, 0);
/* set return code to expr value */
if (v<0 || (action_flags&ACT_FL_RETURN)
|| (action_flags&ACT_FL_EXIT) ){
if (v==EXPR_DROP || (action_flags&ACT_FL_RETURN)
|| (action_flags&ACT_FL_EXIT) ){
ret=0;
return_code = 0;
break;
}else{
LM_WARN("error in expression (l=%d)\n",
a->line);
}
}
ret=1; /*default is continue */
if (v>0) {
if ((a->elem[1].type==ACTIONS_ST)
&&a->elem[1].u.data){
ret=run_action_list(
(struct action*)a->elem[1].u.data,msg );
/* check if return was done */
if ((action_flags&ACT_FL_RETURN)
|| (action_flags&ACT_FL_EXIT) ){
break;
}
return_code = ret;
} else {
/* we should not get here */
return_code = v;
break;
}
} else {
/* condition was false */
return_code = v;
break;
}
}
}
break;
case CACHE_STORE_T:
script_trace("core", "cache_store", msg, a->line) ;
if ((a->elem[0].type!=STR_ST)) {
LM_ALERT("BUG in cache_store() - first argument not of"
" type string [%d]\n",
a->elem[0].type );
ret=E_BUG;
break;
}
if ((a->elem[1].type!=STR_ST)) {
LM_ALERT("BUG in cache_store() - second argument not of "
"type string [%d]\n", a->elem[1].type );
ret=E_BUG;
break;
}
if ((a->elem[2].type!=STR_ST)) {
LM_ALERT("BUG in cache_store() - third argument not of type"
" string%d\n", a->elem[2].type );
ret=E_BUG;
break;
}
str val_s;
/* parse the name argument */
pve = (pv_elem_t *)a->elem[1].u.data;
if ( pv_printf_s(msg, pve, &name_s)!=0 ||
name_s.len == 0 || name_s.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_BUG;
break;
}
/* parse the value argument */
pve = (pv_elem_t *)a->elem[2].u.data;
if ( pv_printf_s(msg, pve, &val_s)!=0 ||
val_s.len == 0 || val_s.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_BUG;
break;
}
/* get the expires value */
if ( a->elem[3].type == SCRIPTVAR_ST )
{
spec = (pv_spec_t*)a->elem[3].u.data;
memset(&val, 0, sizeof(pv_value_t));
if(pv_get_spec_value(msg, spec, &val) < 0)
{
LM_DBG("Failed to get scriptvar value while executing cache_store\n");
ret=E_BUG;
break;
}
if (!(val.flags&PV_VAL_INT))
{
LM_ERR("Wrong value for cache_store expires, not an integer [%.*s]\n",
val.rs.len, val.rs.s);
}
expires = val.ri;
}
else
if ( a->elem[3].type == NUMBER_ST )
{
expires = (int)a->elem[3].u.number;
}
ret = cachedb_store( &a->elem[0].u.s, &name_s, &val_s,expires);
break;
case CACHE_REMOVE_T:
script_trace("core", "cache_remove", msg, a->line) ;
if ((a->elem[0].type!=STR_ST)) {
LM_ALERT("BUG in cache_remove() %d\n",
a->elem[0].type );
ret=E_BUG;
break;
}
if ((a->elem[1].type!=STR_ST)) {
LM_ALERT("BUG in cache_remove() %d\n",
a->elem[1].type );
ret=E_BUG;
break;
}
/* parse the name argument */
pve = (pv_elem_t *)a->elem[1].u.data;
if ( pv_printf_s(msg, pve, &name_s)!=0 ||
name_s.len == 0 || name_s.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_BUG;
break;
}
ret = cachedb_remove( &a->elem[0].u.s, &name_s);
break;
case CACHE_FETCH_T:
script_trace("core", "cache_fetch", msg, a->line) ;
if ((a->elem[0].type!=STR_ST)) {
LM_ALERT("BUG in cache_fetch() %d\n",
a->elem[0].type );
ret=E_BUG;
break;
}
if ((a->elem[1].type!=STR_ST)) {
LM_ALERT("BUG in cache_fetch() %d\n",
a->elem[1].type );
ret=E_BUG;
break;
}
if (a->elem[2].type!=SCRIPTVAR_ST){
LM_ALERT("BUG in cache_fetch() type %d\n",
a->elem[2].type);
ret=E_BUG;
break;
}
str aux = {0, 0};
/* parse the name argument */
pve = (pv_elem_t *)a->elem[1].u.data;
if ( pv_printf_s(msg, pve, &name_s)!=0 ||
name_s.len == 0 || name_s.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_BUG;
break;
}
ret = cachedb_fetch( &a->elem[0].u.s, &name_s, &aux);
if(ret > 0)
{
val.rs = aux;
val.flags = PV_VAL_STR;
spec = (pv_spec_t*)a->elem[2].u.data;
if (pv_set_value(msg, spec, 0, &val) < 0) {
LM_ERR("cannot set the variable value\n");
pkg_free(aux.s);
return -1;
}
pkg_free(aux.s);
}
break;
case CACHE_COUNTER_FETCH_T:
script_trace("core", "cache_counter_fetch", msg, a->line) ;
if ((a->elem[0].type!=STR_ST)) {
LM_ALERT("BUG in cache_fetch() %d\n",
a->elem[0].type );
ret=E_BUG;
break;
}
if ((a->elem[1].type!=STR_ST)) {
LM_ALERT("BUG in cache_fetch() %d\n",
a->elem[1].type );
ret=E_BUG;
break;
}
if (a->elem[2].type!=SCRIPTVAR_ST){
LM_ALERT("BUG in cache_fetch() type %d\n",
a->elem[2].type);
ret=E_BUG;
break;
}
int aux_counter;
/* parse the name argument */
pve = (pv_elem_t *)a->elem[1].u.data;
if ( pv_printf_s(msg, pve, &name_s)!=0 ||
name_s.len == 0 || name_s.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_BUG;
break;
}
ret = cachedb_counter_fetch( &a->elem[0].u.s, &name_s, &aux_counter);
if(ret > 0)
{
val.ri = aux_counter;
val.flags = PV_TYPE_INT|PV_VAL_INT;
spec = (pv_spec_t*)a->elem[2].u.data;
if (pv_set_value(msg, spec, 0, &val) < 0) {
LM_ERR("cannot set the variable value\n");
pkg_free(aux.s);
return -1;
}
}
break;
case CACHE_ADD_T:
script_trace("core", "cache_add", msg, a->line) ;
if ((a->elem[0].type!=STR_ST)) {
LM_ALERT("BUG in cache_add() - first argument not of"
" type string [%d]\n",
a->elem[0].type );
ret=E_BUG;
break;
}
if ((a->elem[1].type!=STR_ST)) {
LM_ALERT("BUG in cache_add() - second argument not of "
"type string [%d]\n", a->elem[1].type );
ret=E_BUG;
break;
}
/* parse the name argument */
pve = (pv_elem_t *)a->elem[1].u.data;
if ( pv_printf_s(msg, pve, &name_s)!=0 ||
name_s.len == 0 || name_s.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_BUG;
break;
}
int increment=0;
/* get the increment value */
if ( a->elem[2].type == SCRIPTVAR_ST )
{
spec = (pv_spec_t*)a->elem[2].u.data;
memset(&val, 0, sizeof(pv_value_t));
if(pv_get_spec_value(msg, spec, &val) < 0)
{
LM_DBG("Failed to get scriptvar value while executing cache_add\n");
ret=E_BUG;
break;
}
if (!(val.flags&PV_VAL_INT))
{
LM_ERR("Wrong value for cache_add, not an integer [%.*s]\n",
val.rs.len, val.rs.s);
}
increment = val.ri;
}
else if ( a->elem[2].type == NUMBER_ST )
{
increment = (int)a->elem[2].u.number;
}
expires = (int)a->elem[3].u.number;
/* TODO - return the new value to script ? */
ret = cachedb_add(&a->elem[0].u.s, &name_s, increment,expires,NULL);
break;
case CACHE_SUB_T:
script_trace("core", "cache_sub", msg, a->line) ;
if ((a->elem[0].type!=STR_ST)) {
LM_ALERT("BUG in cache_sub() - first argument not of"
" type string [%d]\n",
a->elem[0].type );
ret=E_BUG;
break;
}
if ((a->elem[1].type!=STR_ST)) {
LM_ALERT("BUG in cache_sub() - second argument not of "
"type string [%d]\n", a->elem[1].type );
ret=E_BUG;
break;
}
/* parse the name argument */
pve = (pv_elem_t *)a->elem[1].u.data;
if ( pv_printf_s(msg, pve, &name_s)!=0 ||
name_s.len == 0 || name_s.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_BUG;
break;
}
int decrement=0;
/* get the increment value */
if ( a->elem[2].type == SCRIPTVAR_ST )
{
spec = (pv_spec_t*)a->elem[2].u.data;
memset(&val, 0, sizeof(pv_value_t));
if(pv_get_spec_value(msg, spec, &val) < 0)
{
LM_DBG("Failed to get scriptvar value while executing cache_sub\n");
ret=E_BUG;
break;
}
if (!(val.flags&PV_VAL_INT))
{
LM_ERR("Wrong value for cache_sub, not an integer [%.*s]\n",
val.rs.len, val.rs.s);
}
decrement = val.ri;
}
else if ( a->elem[2].type == NUMBER_ST )
{
decrement = (int)a->elem[2].u.number;
}
expires = (int)a->elem[3].u.number;
/* TODO - return new value to script ? */
ret = cachedb_sub(&a->elem[0].u.s, &name_s, decrement,expires,NULL);
break;
case CACHE_RAW_QUERY_T:
if ((a->elem[0].type!=STR_ST)) {
LM_ALERT("BUG in cache_fetch() %d\n",
a->elem[0].type );
ret=E_BUG;
break;
}
if ((a->elem[1].type!=STR_ST)) {
LM_ALERT("BUG in cache_fetch() %d\n",
a->elem[1].type );
ret=E_BUG;
break;
}
if (a->elem[2].u.data != NULL &&
a->elem[2].type!=STR_ST){
LM_ALERT("BUG in cache_raw_query() type %d\n",
a->elem[2].type);
ret=E_BUG;
break;
}
/* parse the name argument */
pve = (pv_elem_t *)a->elem[1].u.data;
if ( pv_printf_s(msg, pve, &name_s)!=0 ||
name_s.len == 0 || name_s.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_BUG;
break;
}
cdb_raw_entry **cdb_reply;
int val_number=0,i,j;
int key_number=0;
pvname_list_t *cdb_res,*it;
int_str avp_val;
int_str avp_name;
unsigned short avp_type;
if (a->elem[2].u.data) {
cdb_res = (pvname_list_t*)a->elem[2].u.data;
for (it=cdb_res;it;it=it->next)
val_number++;
LM_DBG("The query expects %d results back\n",val_number);
ret = cachedb_raw_query( &a->elem[0].u.s, &name_s, &cdb_reply,val_number,&key_number);
if (ret >= 0 && val_number > 0) {
for (i=key_number-1; i>=0;i--) {
it=cdb_res;
for (j=0;j < val_number;j++) {
avp_type = 0;
if (pv_get_avp_name(msg,&it->sname.pvp,&avp_name.n,
&avp_type) != 0) {
LM_ERR("cannot get avp name [%d/%d]\n",i,j);
goto next_avp;
}
switch (cdb_reply[i][j].type) {
case CDB_INT:
avp_val.n = cdb_reply[i][j].val.n;
break;
case CDB_STR:
avp_type |= AVP_VAL_STR;
avp_val.s = cdb_reply[i][j].val.s;
break;
default:
LM_WARN("Unknown type %d\n",cdb_reply[i][j].type);
goto next_avp;
}
if (add_avp(avp_type,avp_name.n,avp_val) != 0) {
LM_ERR("Unable to add AVP\n");
free_raw_fetch(cdb_reply,val_number,key_number);
return -1;
}
next_avp:
if (it) {
it = it->next;
if (it==NULL);
break;
}
}
}
free_raw_fetch(cdb_reply,val_number,key_number);
}
}
else
ret = cachedb_raw_query( &a->elem[0].u.s, &name_s, NULL,0,NULL);
break;
case XDBG_T:
script_trace("core", "xdbg", msg, a->line) ;
if (a->elem[0].type == SCRIPTVAR_ELEM_ST)
{
if (xdbg(msg, a->elem[0].u.data, val.rs.s) < 0)
{
LM_ALERT("Cannot print message");
break;
}
}
else
{
LM_ALERT("BUG in xdbg() type %d\n", a->elem[0].type);
ret=E_BUG;
}
break;
case XLOG_T:
script_trace("core", "xlog", msg, a->line) ;
if (a->elem[1].u.data != NULL)
{
if (a->elem[1].type != SCRIPTVAR_ELEM_ST)
{
LM_ALERT("BUG in xlog() type %d\n", a->elem[1].type);
ret=E_BUG;
break;
}
if (a->elem[0].type != STR_ST)
{
LM_ALERT("BUG in xlog() type %d\n", a->elem[0].type);
ret=E_BUG;
break;
}
if (xlog_2(msg,a->elem[0].u.data, a->elem[1].u.data) < 0)
{
LM_ALERT("Cannot print xlog debug message");
break;
}
}
else
{
if (a->elem[0].type != SCRIPTVAR_ELEM_ST)
{
LM_ALERT("BUG in xlog() type %d\n", a->elem[0].type);
ret=E_BUG;
break;
}
if (xlog_1(msg,a->elem[0].u.data, val.rs.s) < 0)
{
LM_ALERT("Cannot print xlog debug message");
break;
}
}
break;
case RAISE_EVENT_T:
script_trace("core", "raise_event", msg, a->line) ;
if (a->elem[0].type != NUMBER_ST) {
LM_ERR("invalid event id\n");
ret=E_BUG;
break;
}
if (a->elem[2].u.data) {
/* three parameters specified */
ret = evi_raise_script_event(msg, (event_id_t)a->elem[0].u.number,
a->elem[1].u.data, a->elem[2].u.data);
} else {
/* two parameters specified */
ret = evi_raise_script_event(msg, (event_id_t)a->elem[0].u.number,
NULL, a->elem[1].u.data);
}
if (ret <= 0) {
LM_ERR("cannot raise event\n");
ret=E_UNSPEC;
break;
}
break;
case SUBSCRIBE_EVENT_T:
script_trace("core", "subscribe_event", msg, a->line) ;
if (a->elem[0].type != STR_ST || a->elem[1].type != STR_ST) {
LM_ERR("BUG in subscribe arguments\n");
ret=E_BUG;
break;
}
if (a->elem[2].u.data) {
if (a->elem[2].type != NUMBER_ST) {
LM_ERR("BUG in subscribe expiration time\n");
ret=E_BUG;
break;
} else {
i = a->elem[2].u.number;
}
} else {
i = 0;
}
name_s.s = a->elem[0].u.data;
name_s.len = strlen(name_s.s);
/* result should be the socket */
result.s = a->elem[1].u.data;
result.len = strlen(result.s);
ret = evi_event_subscribe(name_s, result, i, 0);
break;
case CONSTRUCT_URI_T:
script_trace("core", "construct_uri", msg, a->line) ;
for (i=0;i<5;i++)
{
pve = (pv_elem_t *)a->elem[i].u.data;
if (pve->spec.getf)
{
if ( pv_printf_s(msg, pve, &vals[i])!=0 ||
vals[i].len == 0 || vals[i].s == NULL)
{
LM_WARN("cannot get string for value\n");
ret=E_BUG;
return -1;
}
}
else
vals[i] = pve->text;
}
result.s = construct_uri(&vals[0],&vals[1],&vals[2],&vals[3],&vals[4],
&result.len);
if (result.s)
{
int_str res;
int avp_name;
unsigned short avp_type;
spec = (pv_spec_t*)a->elem[5].u.data;
if (pv_get_avp_name( msg, &(spec->pvp), &avp_name,
&avp_type)!=0){
LM_CRIT("BUG in getting AVP name\n");
return -1;
}
res.s = result;
if (add_avp(AVP_VAL_STR|avp_type, avp_name, res)<0){
LM_ERR("cannot add AVP\n");
return -1;
}
}
break;
case GET_TIMESTAMP_T:
script_trace("core", "get_timestamp", msg, a->line) ;
if (get_timestamp(&sec,&usec) == 0) {
int avp_name;
int_str res;
unsigned short avp_type;
spec = (pv_spec_t*)a->elem[0].u.data;
if (pv_get_avp_name(msg, &(spec->pvp), &avp_name,
&avp_type) != 0) {
LM_CRIT("BUG in getting AVP name\n");
return -1;
}
res.n = sec;
if (add_avp(avp_type, avp_name, res) < 0) {
LM_ERR("cannot add AVP\n");
return -1;
}
spec = (pv_spec_t*)a->elem[1].u.data;
if (pv_get_avp_name(msg, &(spec->pvp), &avp_name,
&avp_type) != 0) {
LM_CRIT("BUG in getting AVP name\n");
return -1;
}
res.n = usec;
if (add_avp(avp_type, avp_name, res) < 0) {
LM_ERR("cannot add AVP\n");
return -1;
}
} else {
LM_ERR("failed to get time\n");
return -1;
}
break;
case SWITCH_T:
script_trace("core", "switch", msg, a->line) ;
if (a->elem[0].type!=SCRIPTVAR_ST){
LM_ALERT("BUG in switch() type %d\n",
a->elem[0].type);
ret=E_BUG;
break;
}
spec = (pv_spec_t*)a->elem[0].u.data;
if(pv_get_spec_value(msg, spec, &val)!=0)
{
LM_ALERT("BUG - no value in switch()\n");
ret=E_BUG;
break;
}
/* get the value of pvar */
if(a->elem[1].type!=ACTIONS_ST) {
LM_ALERT("BUG in switch() actions\n");
ret=E_BUG;
break;
}
return_code=1;
adefault = NULL;
aitem = (struct action*)a->elem[1].u.data;
cmatch=0;
while(aitem)
{
if((unsigned char)aitem->type==DEFAULT_T)
adefault=aitem;
if(cmatch==0)
{
if(aitem->elem[0].type==STR_ST)
{
if(val.flags&PV_VAL_STR
&& val.rs.len==aitem->elem[0].u.s.len
&& strncasecmp(val.rs.s, aitem->elem[0].u.s.s,
val.rs.len)==0)
cmatch = 1;
} else { /* number */
if(val.flags&PV_VAL_INT &&
val.ri==aitem->elem[0].u.number)
cmatch = 1;
}
}
if(cmatch==1)
{
if(aitem->elem[1].u.data)
{
return_code=run_action_list(
(struct action*)aitem->elem[1].u.data, msg);
if ((action_flags&ACT_FL_RETURN) ||
(action_flags&ACT_FL_EXIT))
break;
}
if(aitem->elem[2].u.number==1)
break;
}
aitem = aitem->next;
}
if((cmatch==0) && (adefault!=NULL))
{
LM_DBG("switch: running default statement\n");
if(adefault->elem[0].u.data)
return_code=run_action_list(
(struct action*)adefault->elem[0].u.data, msg);
}
ret=return_code;
break;
case MODULE_T:
script_trace("module", ((cmd_export_t*)(a->elem[0].u.data))->name,
msg, a->line) ;
if ( (a->elem[0].type==CMD_ST) && a->elem[0].u.data ) {
ret=((cmd_export_t*)(a->elem[0].u.data))->function(msg,
(char*)a->elem[1].u.data, (char*)a->elem[2].u.data,
(char*)a->elem[3].u.data, (char*)a->elem[4].u.data,
(char*)a->elem[5].u.data, (char*)a->elem[6].u.data);
}else{
LM_ALERT("BUG in module call\n");
}
break;
case FORCE_RPORT_T:
script_trace("core", "force_rport", msg, a->line) ;
msg->msg_flags|=FL_FORCE_RPORT;
ret=1; /* continue processing */
break;
case FORCE_LOCAL_RPORT_T:
script_trace("core", "force_local_rport", msg, a->line) ;
msg->msg_flags|=FL_FORCE_LOCAL_RPORT;
ret=1; /* continue processing */
break;
case SET_ADV_ADDR_T:
script_trace("core", "set_adv_addr", msg, a->line) ;
if (a->elem[0].type!=STR_ST){
LM_ALERT("BUG in set_advertised_address() "
"type %d\n", a->elem[0].type);
ret=E_BUG;
break;
}
str adv_addr;
pve = (pv_elem_t *)a->elem[0].u.data;
if ( pv_printf_s(msg, pve, &adv_addr)!=0 ||
adv_addr.len == 0 || adv_addr.s == NULL) {
LM_WARN("cannot get string for value\n");
ret=E_BUG;
break;
}
LM_DBG("adv address = [%.*s]\n",adv_addr.len,adv_addr.s);
msg->set_global_address=adv_addr;
ret=1; /* continue processing */
break;
case SET_ADV_PORT_T:
script_trace("core", "set_adv_port", msg, a->line) ;
if (a->elem[0].type!=STR_ST){
LM_ALERT("BUG in set_advertised_port() "
"type %d\n", a->elem[0].type);
ret=E_BUG;
break;
}
msg->set_global_port=*((str*)a->elem[0].u.data);
ret=1; /* continue processing */
break;
#ifdef USE_TCP
case FORCE_TCP_ALIAS_T:
script_trace("core", "force_tcp_alias", msg, a->line) ;
if ( msg->rcv.proto==PROTO_TCP
#ifdef USE_TLS
|| msg->rcv.proto==PROTO_TLS
#endif
){
if (a->elem[0].type==NOSUBTYPE) port=msg->via1->port;
else if (a->elem[0].type==NUMBER_ST)
port=(int)a->elem[0].u.number;
else{
LM_ALERT("BUG in force_tcp_alias"
" port type %d\n", a->elem[0].type);
ret=E_BUG;
break;
}
if (tcpconn_add_alias(msg->rcv.proto_reserved1, port,
msg->rcv.proto)!=0){
LM_ERR("tcp alias failed\n");
ret=E_UNSPEC;
break;
}
}
#endif
ret=1; /* continue processing */
break;
case FORCE_SEND_SOCKET_T:
script_trace("core", "force_send_socket", msg, a->line) ;
if (a->elem[0].type!=SOCKETINFO_ST){
LM_ALERT("BUG in force_send_socket argument"
" type: %d\n", a->elem[0].type);
ret=E_BUG;
break;
}
msg->force_send_socket=(struct socket_info*)a->elem[0].u.data;
ret=1; /* continue processing */
break;
case SERIALIZE_BRANCHES_T:
script_trace("core", "serialize_branches", msg, a->line) ;
if (a->elem[0].type!=NUMBER_ST){
LM_ALERT("BUG in serialize_branches argument"
" type: %d\n", a->elem[0].type);
ret=E_BUG;
break;
}
if (serialize_branches(msg,(int)a->elem[0].u.number)!=0) {
LM_ERR("serialize_branches failed\n");
ret=E_UNSPEC;
break;
}
ret=1; /* continue processing */
break;
case NEXT_BRANCHES_T:
script_trace("core", "next_branches", msg, a->line) ;
if ((ret=next_branches(msg))<0) {
LM_ERR("next_branches failed\n");
ret=E_UNSPEC;
break;
}
/* continue processing */
break;
case EQ_T:
case COLONEQ_T:
case PLUSEQ_T:
case MINUSEQ_T:
case DIVEQ_T:
case MULTEQ_T:
case MODULOEQ_T:
case BANDEQ_T:
case BOREQ_T:
case BXOREQ_T:
ret = do_assign(msg, a);
break;
case USE_BLACKLIST_T:
script_trace("core", "use_blacklist", msg, a->line) ;
mark_for_search((struct bl_head*)a->elem[0].u.data, 1);
break;
case UNUSE_BLACKLIST_T:
script_trace("core", "unuse_blacklist", msg, a->line);
mark_for_search((struct bl_head*)a->elem[0].u.data, 0);
break;
case PV_PRINTF_T:
script_trace("core", "pv_printf", msg, a->line);
ret = -1;
spec = (pv_spec_p)a->elem[0].u.data;
if(!pv_is_w(spec))
{
LM_ERR("read only PV in first parameter of pv_printf\n");
goto error;
}
model = (pv_elem_p)a->elem[1].u.data;
memset(&val, 0, sizeof(pv_value_t));
if(pv_printf_s(msg, model, &val.rs)!=0)
{
LM_ERR("cannot eval second parameter\n");
goto error;
}
val.flags = PV_VAL_STR;
if(pv_set_value(msg, spec, EQ_T, &val)<0)
{
LM_ERR("setting PV failed\n");
goto error;
}
ret = 1;
break;
case SCRIPT_TRACE_T:
script_trace("core", "script_trace", msg, a->line);
if (a->elem[0].type==NOSUBTYPE) {
use_script_trace = 0;
} else {
use_script_trace = 1;
if (a->elem[0].type != NUMBER_ST ||
a->elem[1].type != SCRIPTVAR_ELEM_ST) {
LM_ERR("BUG in use_script_trace() arguments\n");
ret=E_BUG;
break;
}
if (a->elem[2].type!=NOSUBTYPE) {
script_trace_info = (char *)a->elem[2].u.data;
} else {
script_trace_info = NULL;
}
script_trace_log_level = (int)a->elem[0].u.number;
script_trace_elem = *(pv_elem_p)a->elem[1].u.data;
}
break;
default:
LM_ALERT("BUG - unknown type %d\n", a->type);
goto error;
}
if((unsigned char)a->type!=IF_T && (unsigned char)a->type!=ROUTE_T)
return_code = ret;
/*skip:*/
update_longest_action();
return ret;
error:
LM_ERR("error at line: %d\n", a->line);
update_longest_action();
return ret;
error_uri:
LM_ERR("set*: uri too long\n");
if (new_uri) pkg_free(new_uri);
update_longest_action();
return E_UNSPEC;
error_fwd_uri:
update_longest_action();
return ret;
}
/*
* Return true if missed_call accounting is enabled
* and the transaction has the flag set
*/
static inline int is_mc_on(struct sip_msg *rq)
{
return log_missed_flag && isflagset(rq, log_missed_flag) == 1;
}
/*ARGSUSED*/
krb5_error_code
process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
krb5_data **response)
{
krb5_keyblock * subkey = 0;
krb5_kdc_req *request = 0;
krb5_db_entry server;
krb5_kdc_rep reply;
krb5_enc_kdc_rep_part reply_encpart;
krb5_ticket ticket_reply, *header_ticket = 0;
int st_idx = 0;
krb5_enc_tkt_part enc_tkt_reply;
krb5_transited enc_tkt_transited;
int newtransited = 0;
krb5_error_code retval = 0;
krb5_keyblock encrypting_key;
int nprincs = 0;
krb5_boolean more;
krb5_timestamp kdc_time, authtime=0;
krb5_keyblock session_key;
krb5_timestamp until, rtime;
krb5_keyblock *reply_key = NULL;
krb5_keyblock *mkey_ptr;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *altcname = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
krb5_enctype useenctype;
int errcode, errcode2;
register int i;
int firstpass = 1;
const char *status = 0;
krb5_enc_tkt_part *header_enc_tkt = NULL; /* ticket granting or evidence ticket */
krb5_db_entry client, krbtgt;
int c_nprincs = 0, k_nprincs = 0;
krb5_pa_s4u_x509_user *s4u_x509_user = NULL; /* protocol transition request */
krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
char *s4u_name = NULL;
krb5_boolean is_referral, db_ref_done = FALSE;
const char *emsg = NULL;
krb5_data *tgs_1 =NULL, *server_1 = NULL;
krb5_principal krbtgt_princ;
krb5_kvno ticket_kvno = 0;
struct kdc_request_state *state = NULL;
krb5_pa_data *pa_tgs_req; /*points into request*/
krb5_data scratch;
session_key.contents = NULL;
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
/*
* setup_server_realm() sets up the global realm-specific data pointer.
*/
if ((retval = setup_server_realm(request->server))) {
krb5_free_kdc_req(kdc_context, request);
return retval;
}
errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
&krbtgt, &k_nprincs, &subkey, &pa_tgs_req);
if (header_ticket && header_ticket->enc_part2 &&
(errcode2 = krb5_unparse_name(kdc_context,
header_ticket->enc_part2->client,
&cname))) {
status = "UNPARSING CLIENT";
errcode = errcode2;
goto cleanup;
}
limit_string(cname);
if (errcode) {
status = "PROCESS_TGS";
goto cleanup;
}
if (!header_ticket) {
errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
status="UNEXPECTED NULL in header_ticket";
goto cleanup;
}
errcode = kdc_make_rstate(&state);
if (errcode !=0) {
status = "making state";
goto cleanup;
}
scratch.length = pa_tgs_req->length;
scratch.data = (char *) pa_tgs_req->contents;
errcode = kdc_find_fast(&request, &scratch, subkey, header_ticket->enc_part2->session, state);
if (errcode !=0) {
status = "kdc_find_fast";
goto cleanup;
}
/*
* Pointer to the encrypted part of the header ticket, which may be
* replaced to point to the encrypted part of the evidence ticket
* if constrained delegation is used. This simplifies the number of
* special cases for constrained delegation.
*/
header_enc_tkt = header_ticket->enc_part2;
/*
* We've already dealt with the AP_REQ authentication, so we can
* use header_ticket freely. The encrypted part (if any) has been
* decrypted with the session key.
*/
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
}
db_ref_done = FALSE;
ref_tgt_again:
nprincs = 1;
if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
status = "UNPARSING SERVER";
goto cleanup;
}
limit_string(sname);
errcode = krb5_db_get_principal_ext(kdc_context,
request->server,
s_flags,
&server,
&nprincs,
&more);
if (errcode) {
status = "LOOKING_UP_SERVER";
nprincs = 0;
goto cleanup;
}
tgt_again:
if (more) {
status = "NON_UNIQUE_PRINCIPAL";
errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
goto cleanup;
} else if (nprincs != 1) {
/*
* might be a request for a TGT for some other realm; we
* should do our best to find such a TGS in this db
*/
if (firstpass ) {
if ( krb5_is_tgs_principal(request->server) == TRUE) { /* Principal is a name of krb ticket service */
if (krb5_princ_size(kdc_context, request->server) == 2) {
server_1 = krb5_princ_component(kdc_context, request->server, 1);
tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
krb5_db_free_principal(kdc_context, &server, nprincs);
find_alternate_tgs(request, &server, &more, &nprincs);
firstpass = 0;
goto tgt_again;
}
}
krb5_db_free_principal(kdc_context, &server, nprincs);
status = "UNKNOWN_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
} else if ( db_ref_done == FALSE) {
retval = prep_reprocess_req(request, &krbtgt_princ);
if (!retval) {
krb5_free_principal(kdc_context, request->server);
retval = krb5_copy_principal(kdc_context, krbtgt_princ, &(request->server));
if (!retval) {
db_ref_done = TRUE;
if (sname != NULL)
free(sname);
goto ref_tgt_again;
}
}
}
}
krb5_db_free_principal(kdc_context, &server, nprincs);
status = "UNKNOWN_SERVER";
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
}
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
status = "TIME_OF_DAY";
goto cleanup;
}
if ((retval = validate_tgs_request(request, server, header_ticket,
kdc_time, &status))) {
if (!status)
status = "UNKNOWN_REASON";
errcode = retval + ERROR_TABLE_BASE_krb5;
goto cleanup;
}
if (!is_local_principal(header_enc_tkt->client))
setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
is_referral = krb5_is_tgs_principal(server.princ) &&
!krb5_principal_compare(kdc_context, tgs_server, server.princ);
/* Check for protocol transition */
errcode = kdc_process_s4u2self_req(kdc_context,
request,
header_enc_tkt->client,
&server,
subkey,
header_enc_tkt->session,
kdc_time,
&s4u_x509_user,
&client,
&c_nprincs,
&status);
if (errcode)
goto cleanup;
if (s4u_x509_user != NULL)
setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
/*
* We pick the session keytype here....
*
* Some special care needs to be taken in the user-to-user
* case, since we don't know what keytypes the application server
* which is doing user-to-user authentication can support. We
* know that it at least must be able to support the encryption
* type of the session key in the TGT, since otherwise it won't be
* able to decrypt the U2U ticket! So we use that in preference
* to anything else.
*/
useenctype = 0;
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY |
KDC_OPT_CNAME_IN_ADDL_TKT)) {
krb5_keyblock * st_sealing_key;
krb5_kvno st_srv_kvno;
krb5_enctype etype;
krb5_db_entry st_client;
int st_nprincs = 0;
/*
* Get the key for the second ticket, and decrypt it.
*/
if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
c_flags,
TRUE, /* match_enctype */
&st_client,
&st_nprincs,
&st_sealing_key,
&st_srv_kvno))) {
status = "2ND_TKT_SERVER";
goto cleanup;
}
errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key,
request->second_ticket[st_idx]);
krb5_free_keyblock(kdc_context, st_sealing_key);
if (errcode) {
status = "2ND_TKT_DECRYPT";
krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
goto cleanup;
}
etype = request->second_ticket[st_idx]->enc_part2->session->enctype;
if (!krb5_c_valid_enctype(etype)) {
status = "BAD_ETYPE_IN_2ND_TKT";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
goto cleanup;
}
for (i = 0; i < request->nktypes; i++) {
if (request->ktype[i] == etype) {
useenctype = etype;
break;
}
}
if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
/* Do constrained delegation protocol and authorization checks */
errcode = kdc_process_s4u2proxy_req(kdc_context,
request,
request->second_ticket[st_idx]->enc_part2,
&st_client,
header_ticket->enc_part2->client,
request->server,
&status);
if (errcode)
goto cleanup;
setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
assert(krb5_is_tgs_principal(header_ticket->server));
/* From now on, use evidence ticket as header ticket */
header_enc_tkt = request->second_ticket[st_idx]->enc_part2;
assert(c_nprincs == 0); /* assured by kdc_process_s4u2self_req() */
client = st_client;
c_nprincs = st_nprincs;
} else {
/* "client" is not used for user2user */
krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
}
}
/*
* Select the keytype for the ticket session key.
*/
if ((useenctype == 0) &&
(useenctype = select_session_keytype(kdc_context, &server,
request->nktypes,
request->ktype)) == 0) {
/* unsupported ktype */
status = "BAD_ENCRYPTION_TYPE";
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto cleanup;
}
errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key);
if (errcode) {
/* random key failed */
status = "RANDOM_KEY_FAILED";
goto cleanup;
}
authtime = header_enc_tkt->times.authtime;
if (is_referral)
ticket_reply.server = server.princ;
else
ticket_reply.server = request->server; /* XXX careful for realm... */
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE))
setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
/*
* Fix header_ticket's starttime; if it's zero, fill in the
* authtime's value.
*/
if (!(header_enc_tkt->times.starttime))
header_enc_tkt->times.starttime = header_enc_tkt->times.authtime;
/* don't use new addresses unless forwarded, see below */
enc_tkt_reply.caddrs = header_enc_tkt->caddrs;
/* noaddrarray[0] = 0; */
reply_encpart.caddrs = 0;/* optional...don't put it in */
reply_encpart.enc_padata = NULL;
/* It should be noted that local policy may affect the */
/* processing of any of these flags. For example, some */
/* realms may refuse to issue renewable tickets */
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
/*
* If S4U2Self principal is not forwardable, then mark ticket as
* unforwardable. This behaviour matches Windows, but it is
* different to the MIT AS-REQ path, which returns an error
* (KDC_ERR_POLICY) if forwardable tickets cannot be issued.
*
* Consider this block the S4U2Self equivalent to
* validate_forwardable().
*/
if (c_nprincs &&
isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
/*
* OK_TO_AUTH_AS_DELEGATE must be set on the service requesting
* S4U2Self in order for forwardable tickets to be returned.
*/
else if (!is_referral &&
!isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
}
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
if (isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDED))
setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
if (isflagset(request->kdc_options, KDC_OPT_PROXY)) {
setflag(enc_tkt_reply.flags, TKT_FLG_PROXY);
/* include new addresses in ticket & reply */
enc_tkt_reply.caddrs = request->addresses;
reply_encpart.caddrs = request->addresses;
}
if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
enc_tkt_reply.times.starttime = request->from;
} else
enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
krb5_deltat old_life;
assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
/* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
to the caller */
ticket_reply = *(header_ticket);
enc_tkt_reply = *(header_ticket->enc_part2);
old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
enc_tkt_reply.times.starttime = kdc_time;
enc_tkt_reply.times.endtime =
min(header_ticket->enc_part2->times.renew_till,
kdc_time + old_life);
} else {
/* not a renew request */
enc_tkt_reply.times.starttime = kdc_time;
until = (request->till == 0) ? kdc_infinity : request->till;
enc_tkt_reply.times.endtime =
min(until, min(enc_tkt_reply.times.starttime + server.max_life,
min(enc_tkt_reply.times.starttime + max_life_for_realm,
header_enc_tkt->times.endtime)));
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
(enc_tkt_reply.times.endtime < request->till) &&
isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) {
setflag(request->kdc_options, KDC_OPT_RENEWABLE);
request->rtime =
min(request->till, header_enc_tkt->times.renew_till);
}
}
rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) {
/* already checked above in policy check to reject request for a
renewable ticket using a non-renewable ticket */
setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
enc_tkt_reply.times.renew_till =
min(rtime,
min(header_enc_tkt->times.renew_till,
enc_tkt_reply.times.starttime +
min(server.max_renewable_life,
max_renewable_life_for_realm)));
} else {
enc_tkt_reply.times.renew_till = 0;
}
/*
* Set authtime to be the same as header_ticket's
*/
enc_tkt_reply.times.authtime = header_enc_tkt->times.authtime;
/*
* Propagate the preauthentication flags through to the returned ticket.
*/
if (isflagset(header_enc_tkt->flags, TKT_FLG_PRE_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH);
if (isflagset(header_enc_tkt->flags, TKT_FLG_HW_AUTH))
setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH);
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
errcode = krb5_unparse_name(kdc_context, s4u_x509_user->user_id.user, &s4u_name);
} else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name);
} else {
errcode = 0;
}
if (errcode) {
status = "UNPARSING S4U CLIENT";
goto cleanup;
}
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
encrypting_key = *(t2enc->session);
} else {
/*
* Find the server key
*/
if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
-1, /* ignore keytype */
-1, /* Ignore salttype */
0,/* Get highest kvno */
&server_key))) {
status = "FINDING_SERVER_KEY";
goto cleanup;
}
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server,
&mkey_ptr))) {
krb5_keylist_node *tmp_mkey_list;
/* try refreshing master key list */
/* XXX it would nice if we had the mkvno here for optimization */
if (krb5_db_fetch_mkey_list(kdc_context, master_princ,
&master_keyblock, 0, &tmp_mkey_list) == 0) {
krb5_dbe_free_key_list(kdc_context, master_keylist);
master_keylist = tmp_mkey_list;
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist,
&server, &mkey_ptr))) {
status = "FINDING_MASTER_KEY";
goto cleanup;
}
} else {
status = "FINDING_MASTER_KEY";
goto cleanup;
}
}
/* convert server.key into a real key (it may be encrypted
* in the database) */
if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
mkey_ptr,
server_key, &encrypting_key,
NULL))) {
status = "DECRYPT_SERVER_KEY";
goto cleanup;
}
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
/*
* Don't allow authorization data to be disabled if constrained
* delegation is requested. We don't want to deny the server
* the ability to validate that delegation was used.
*/
clear(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
}
if (isflagset(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
/*
* If we are not doing protocol transition/constrained delegation
* and there was no authorization data included, try to lookup
* the client principal as it may be mapped to a local account.
*
* Always validate authorization data for constrained delegation
* because we must validate the KDC signatures.
*/
if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U) &&
header_enc_tkt->authorization_data == NULL) {
/* Generate authorization data so we can include it in ticket */
setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
/* Map principals from foreign (possibly non-AD) realms */
setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
assert(c_nprincs == 0); /* should not have been looked up already */
c_nprincs = 1;
errcode = krb5_db_get_principal_ext(kdc_context,
header_enc_tkt->client,
c_flags,
&client,
&c_nprincs,
&more);
/*
* We can ignore errors because the principal may be a
* valid cross-realm principal for which we have no local
* mapping. But we do want to check that at most one entry
* was returned.
*/
if (errcode == 0 && (more || c_nprincs > 1)) {
errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
goto cleanup;
} else if (errcode) {
c_nprincs = 0;
}
}
}
enc_tkt_reply.authorization_data = NULL;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
enc_tkt_reply.client = s4u_x509_user->user_id.user;
else
enc_tkt_reply.client = header_enc_tkt->client;
enc_tkt_reply.session = &session_key;
enc_tkt_reply.transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_reply.transited.tr_contents = empty_string; /* equivalent of "" */
errcode = handle_authdata(kdc_context,
c_flags,
(c_nprincs != 0) ? &client : NULL,
&server,
(k_nprincs != 0) ? &krbtgt : NULL,
subkey != NULL ? subkey :
header_ticket->enc_part2->session,
&encrypting_key, /* U2U or server key */
pkt,
request,
s4u_x509_user ?
s4u_x509_user->user_id.user : NULL,
header_enc_tkt,
&enc_tkt_reply);
if (errcode) {
krb5_klog_syslog(LOG_INFO, "TGS_REQ : handle_authdata (%d)", errcode);
status = "HANDLE_AUTHDATA";
goto cleanup;
}
if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
errcode = return_svr_referral_data(kdc_context,
&server, &reply_encpart);
if (errcode) {
status = "KDC_RETURN_ENC_PADATA";
goto cleanup;
}
}
/*
* Only add the realm of the presented tgt to the transited list if
* it is different than the local realm (cross-realm) and it is different
* than the realm of the client (since the realm of the client is already
* implicitly part of the transited list and should not be explicitly
* listed).
*/
/* realm compare is like strcmp, but knows how to deal with these args */
if (realm_compare(header_ticket->server, tgs_server) ||
realm_compare(header_ticket->server, enc_tkt_reply.client)) {
/* tgt issued by local realm or issued by realm of client */
enc_tkt_reply.transited = header_enc_tkt->transited;
} else {
/* tgt issued by some other realm and not the realm of the client */
/* assemble new transited field into allocated storage */
if (header_enc_tkt->transited.tr_type !=
KRB5_DOMAIN_X500_COMPRESS) {
status = "BAD_TRTYPE";
errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
goto cleanup;
}
enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
enc_tkt_transited.magic = 0;
enc_tkt_transited.tr_contents.magic = 0;
enc_tkt_transited.tr_contents.data = 0;
enc_tkt_transited.tr_contents.length = 0;
enc_tkt_reply.transited = enc_tkt_transited;
if ((errcode =
add_to_transited(&header_enc_tkt->transited.tr_contents,
&enc_tkt_reply.transited.tr_contents,
header_ticket->server,
enc_tkt_reply.client,
request->server))) {
status = "ADD_TR_FAIL";
goto cleanup;
}
newtransited = 1;
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
&server,
(k_nprincs != 0) ? &krbtgt : NULL);
if (errcode) {
status = "NON_TRANSITIVE";
goto cleanup;
}
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
unsigned int tlen;
char *tdots;
errcode = kdc_check_transited_list (kdc_context,
&enc_tkt_reply.transited.tr_contents,
krb5_princ_realm (kdc_context, header_enc_tkt->client),
krb5_princ_realm (kdc_context, request->server));
tlen = enc_tkt_reply.transited.tr_contents.length;
tdots = tlen > 125 ? "..." : "";
tlen = tlen > 125 ? 125 : tlen;
if (errcode == 0) {
setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
krb5_klog_syslog (LOG_INFO,
"bad realm transit path from '%s' to '%s' "
"via '%.*s%s'",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
tlen,
enc_tkt_reply.transited.tr_contents.data,
tdots);
else {
emsg = krb5_get_error_message(kdc_context, errcode);
krb5_klog_syslog (LOG_ERR,
"unexpected error checking transit from "
"'%s' to '%s' via '%.*s%s': %s",
cname ? cname : "<unknown client>",
sname ? sname : "<unknown server>",
tlen,
enc_tkt_reply.transited.tr_contents.data,
tdots, emsg);
krb5_free_error_message(kdc_context, emsg);
emsg = NULL;
}
} else
krb5_klog_syslog (LOG_INFO, "not checking transit path");
if (reject_bad_transit
&& !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
errcode = KRB5KDC_ERR_POLICY;
status = "BAD_TRANSIT";
goto cleanup;
}
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
* If we are doing user-to-user authentication, then make sure
* that the client for the second ticket matches the request
* server, and then encrypt the ticket using the session key of
* the second ticket.
*/
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
/*
* Make sure the client for the second ticket matches
* requested server.
*/
krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
krb5_principal client2 = t2enc->client;
if (!krb5_principal_compare(kdc_context, request->server, client2)) {
if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname)))
altcname = 0;
if (altcname != NULL)
limit_string(altcname);
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
status = "2ND_TKT_MISMATCH";
goto cleanup;
}
ticket_kvno = 0;
ticket_reply.enc_part.enctype = t2enc->session->enctype;
st_idx++;
} else {
ticket_kvno = server_key->key_data_kvno;
}
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
&ticket_reply);
if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (errcode) {
status = "TKT_ENCRYPT";
goto cleanup;
}
ticket_reply.enc_part.kvno = ticket_kvno;
/* Start assembling the response */
reply.msg_type = KRB5_TGS_REP;
reply.padata = 0;/* always */
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
find_pa_data(request->padata, KRB5_PADATA_S4U_X509_USER) != NULL) {
errcode = kdc_make_s4u2self_rep(kdc_context,
subkey,
header_ticket->enc_part2->session,
s4u_x509_user,
&reply,
&reply_encpart);
if (errcode) {
status = "KDC_RETURN_S4U2SELF_PADATA";
goto cleanup;
}
}
reply.client = enc_tkt_reply.client;
reply.enc_part.kvno = 0;/* We are using the session key */
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
reply_encpart.nonce = request->nonce;
/* copy the time fields EXCEPT for authtime; its location
is used for ktime */
reply_encpart.times = enc_tkt_reply.times;
reply_encpart.times.authtime = header_enc_tkt->times.authtime;
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
enc_tkt_reply.times.starttime = 0;
nolrentry.lr_type = KRB5_LRQ_NONE;
nolrentry.value = 0;
nolrarray[0] = &nolrentry;
nolrarray[1] = 0;
reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
reply_encpart.key_exp = 0;/* ditto */
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
/* use the session key in the ticket, unless there's a subsession key
in the AP_REQ */
reply.enc_part.enctype = subkey ? subkey->enctype :
header_ticket->enc_part2->session->enctype;
errcode = kdc_fast_response_handle_padata(state, request, &reply,
subkey?subkey->enctype:header_ticket->enc_part2->session->enctype);
if (errcode !=0 ) {
status = "Preparing FAST padata";
goto cleanup;
}
errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key);
if (errcode) {
status = "generating reply key";
goto cleanup;
}
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
subkey ? 1 : 0,
reply_key,
&reply, response);
if (errcode) {
status = "ENCODE_KDC_REP";
} else {
status = "ISSUE";
}
memset(ticket_reply.enc_part.ciphertext.data, 0,
ticket_reply.enc_part.ciphertext.length);
free(ticket_reply.enc_part.ciphertext.data);
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
memset(reply.enc_part.ciphertext.data, 0,
reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
cleanup:
assert(status != NULL);
if (reply_key)
krb5_free_keyblock(kdc_context, reply_key);
if (errcode)
emsg = krb5_get_error_message (kdc_context, errcode);
log_tgs_req(from, request, &reply, cname, sname, altcname, authtime,
c_flags, s4u_name, status, errcode, emsg);
if (errcode) {
krb5_free_error_message (kdc_context, emsg);
emsg = NULL;
}
if (errcode) {
int got_err = 0;
if (status == 0) {
status = krb5_get_error_message (kdc_context, errcode);
got_err = 1;
}
errcode -= ERROR_TABLE_BASE_krb5;
if (errcode < 0 || errcode > 128)
errcode = KRB_ERR_GENERIC;
retval = prepare_error_tgs(state, request, header_ticket, errcode,
nprincs ? server.princ : NULL,
response, status);
if (got_err) {
krb5_free_error_message (kdc_context, status);
status = 0;
}
}
if (header_ticket != NULL)
krb5_free_ticket(kdc_context, header_ticket);
if (request != NULL)
krb5_free_kdc_req(kdc_context, request);
if (state)
kdc_free_rstate(state);
if (cname != NULL)
free(cname);
if (sname != NULL)
free(sname);
if (nprincs != 0)
krb5_db_free_principal(kdc_context, &server, 1);
if (session_key.contents != NULL)
krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
free(enc_tkt_reply.transited.tr_contents.data);
if (k_nprincs)
krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs);
if (c_nprincs)
krb5_db_free_principal(kdc_context, &client, c_nprincs);
if (s4u_x509_user != NULL)
krb5_free_pa_s4u_x509_user(kdc_context, s4u_x509_user);
if (kdc_issued_auth_data != NULL)
krb5_free_authdata(kdc_context, kdc_issued_auth_data);
if (s4u_name != NULL)
free(s4u_name);
if (subkey != NULL)
krb5_free_keyblock(kdc_context, subkey);
if (reply.padata)
krb5_free_pa_data(kdc_context, reply.padata);
if (reply_encpart.enc_padata)
krb5_free_pa_data(kdc_context, reply_encpart.enc_padata);
return retval;
}
static int
check_princ(char *p_name, char *instance, int lifetime, Principal *p,
krb5_keyblock *k5key, int issrv, krb5_deltat *k5life)
{
static int n;
static int more;
/* long trans; */
n = kerb_get_principal(p_name, instance, p, &more, k5key, 0,
issrv, k5life);
klog(L_ALL_REQ,
"Principal: \"%s\", Instance: \"%s\" Lifetime = %d n = %d",
p_name, instance, lifetime, n, 0);
if (n < 0) {
lt = klog(L_KRB_PERR, "Database unavailable!");
p->key_high = p->key_low = 0;
hang();
}
/*
* if more than one p_name, pick one, randomly create a session key,
* compute maximum lifetime, lookup authorizations if applicable,
* and stuff into cipher.
*/
if (n == 0) {
/* service unknown, log error, skip to next request */
lt = klog(L_ERR_UNK, "UNKNOWN \"%s\" \"%s\"", p_name,
instance, 0);
return KERB_ERR_PRINCIPAL_UNKNOWN;
}
if (more) {
/* not unique, log error */
lt = klog(L_ERR_NUN, "Principal NOT UNIQUE \"%s\" \"%s\"",
p_name, instance, 0);
return KERB_ERR_PRINCIPAL_NOT_UNIQUE;
}
/*
* Check our V5 stuff first.
*/
/*
* Does the principal have REQUIRES_PWCHANGE set?
*/
if (isflagset(p->attributes, V4_KDB_REQUIRES_PWCHANGE)) {
lt = klog(L_ERR_SEXP, "V5 REQUIRES_PWCHANGE set "
"\"%s\" \"%s\"", p_name, instance);
return KERB_ERR_NAME_EXP;
}
/*
* Does the principal have DISALLOW_ALL_TIX set?
*/
if (isflagset(p->attributes, V4_KDB_DISALLOW_ALL_TIX)) {
lt = klog(L_ERR_SEXP, "V5 DISALLOW_ALL_TIX set: "
"\"%s\" \"%s\"", p_name, instance);
/* Not sure of a better error to return */
return KERB_ERR_NAME_EXP;
}
if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: "
"\"%s\" \"%s\"", p_name, instance);
/* Not sure of a better error to return */
return KERB_ERR_NAME_EXP;
}
/*
* Does the principal require preauthentication?
*/
if ((kdc_v4 == KDC_V4_NOPREAUTH) &&
isflagset(p->attributes, V4_KDB_REQUIRES_PREAUTH)) {
lt = klog(L_ERR_SEXP, "V5 REQUIRES_PREAUTH set: "
"\"%s\" \"%s\"", p_name, instance);
/* Not sure of a better error to return */
return KERB_ERR_AUTH_EXP;
/* return KERB_ERR_NAME_EXP;*/
}
/* If the user's key is null, we want to return an error */
if (k5key->contents != NULL && K4KDC_ENCTYPE_OK(k5key->enctype)) {
if ((p->key_low == 0) && (p->key_high == 0)) {
/* User has a null key */
lt = klog(L_ERR_NKY, "Null key \"%s\" \"%s\"", p_name,
instance, 0);
return KERB_ERR_NULL_KEY;
}
}
/* make sure the service hasn't expired */
if (((u_long) p->exp_date != 0)&&
((u_long) p->exp_date <(u_long) kerb_time.tv_sec)) {
/* service did expire, log it */
char timestr[40];
struct tm *tm;
time_t t = p->exp_date;
tm = localtime(&t);
if (!strftime(timestr, sizeof(timestr), "%Y-%m-%d %H:%M:%S", tm))
timestr[0] = '\0';
lt = klog(L_ERR_SEXP,
"EXPIRED \"%s\" \"%s\" %s", p->name, p->instance, timestr);
return KERB_ERR_NAME_EXP;
}
/* ok is zero */
return 0;
}
