krb5_error_code KRB5_CALLCONV
krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, register krb5_ticket *ticket)
{
krb5_enc_tkt_part *dec_tkt_part;
krb5_data scratch;
krb5_error_code retval;
if (!krb5_c_valid_enctype(ticket->enc_part.enctype))
return KRB5_PROG_ETYPE_NOSUPP;
if (!krb5_is_permitted_enctype(context, ticket->enc_part.enctype))
return KRB5_NOPERM_ETYPE;
scratch.length = ticket->enc_part.ciphertext.length;
if (!(scratch.data = malloc(ticket->enc_part.ciphertext.length)))
return(ENOMEM);
/* call the encryption routine */
if ((retval = krb5_c_decrypt(context, srv_key,
KRB5_KEYUSAGE_KDC_REP_TICKET, 0,
&ticket->enc_part, &scratch))) {
free(scratch.data);
return retval;
}
#define clean_scratch() {memset(scratch.data, 0, scratch.length); \
free(scratch.data);}
/* now decode the decrypted stuff */
retval = decode_krb5_enc_tkt_part(&scratch, &dec_tkt_part);
if (!retval) {
ticket->enc_part2 = dec_tkt_part;
}
clean_scratch();
return retval;
}
static krb5_error_code
krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
const krb5_ap_req *req, krb5_const_principal server,
krb5_keytab keytab, krb5_flags *ap_req_options,
krb5_ticket **ticket, int check_valid_flag)
{
krb5_error_code retval = 0;
krb5_timestamp currenttime;
krb5_principal_data princ_data;
req->ticket->enc_part2 == NULL;
if (server && krb5_is_referral_realm(&server->realm)) {
char *realm;
princ_data = *server;
server = &princ_data;
retval = krb5_get_default_realm(context, &realm);
if (retval)
return retval;
princ_data.realm.data = realm;
princ_data.realm.length = strlen(realm);
}
if (server && !krb5_principal_compare(context, server, req->ticket->server)) {
char *found_name = 0, *wanted_name = 0;
if (krb5_unparse_name(context, server, &wanted_name) == 0
&& krb5_unparse_name(context, req->ticket->server, &found_name) == 0)
krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
"Wrong principal in request (found %s, wanted %s)",
found_name, wanted_name);
krb5_free_unparsed_name(context, wanted_name);
krb5_free_unparsed_name(context, found_name);
retval = KRB5KRB_AP_WRONG_PRINC;
goto cleanup;
}
/* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
do we need special processing here ? */
/* decrypt the ticket */
if ((*auth_context)->keyblock) { /* User to User authentication */
if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
req->ticket)))
goto cleanup;
krb5_free_keyblock(context, (*auth_context)->keyblock);
(*auth_context)->keyblock = NULL;
} else {
if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, keytab)))
goto cleanup;
}
/* XXX this is an evil hack. check_valid_flag is set iff the call
is not from inside the kdc. we can use this to determine which
key usage to use */
if ((retval = decrypt_authenticator(context, req,
&((*auth_context)->authentp),
check_valid_flag)))
goto cleanup;
if (!krb5_principal_compare(context, (*auth_context)->authentp->client,
req->ticket->enc_part2->client)) {
retval = KRB5KRB_AP_ERR_BADMATCH;
goto cleanup;
}
if ((*auth_context)->remote_addr &&
!krb5_address_search(context, (*auth_context)->remote_addr,
req->ticket->enc_part2->caddrs)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup;
}
/* okay, now check cross-realm policy */
#if defined(_SINGLE_HOP_ONLY)
/* Single hop cross-realm tickets only */
{
krb5_transited *trans = &(req->ticket->enc_part2->transited);
/* If the transited list is empty, then we have at most one hop */
if (trans->tr_contents.data && trans->tr_contents.data[0])
retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
}
#elif defined(_NO_CROSS_REALM)
/* No cross-realm tickets */
{
char * lrealm;
krb5_data * realm;
krb5_transited * trans;
realm = krb5_princ_realm(context, req->ticket->enc_part2->client);
trans = &(req->ticket->enc_part2->transited);
/*
* If the transited list is empty, then we have at most one hop
* So we also have to check that the client's realm is the local one
*/
krb5_get_default_realm(context, &lrealm);
if ((trans->tr_contents.data && trans->tr_contents.data[0]) ||
strlen(lrealm) != realm->length ||
memcmp(lrealm, realm->data, strlen(lrealm))) {
retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
}
free(lrealm);
}
#else
/* Hierarchical Cross-Realm */
{
krb5_data * realm;
krb5_transited * trans;
realm = krb5_princ_realm(context, req->ticket->enc_part2->client);
trans = &(req->ticket->enc_part2->transited);
/*
* If the transited list is not empty, then check that all realms
* transited are within the hierarchy between the client's realm
* and the local realm.
*/
if (trans->tr_contents.data && trans->tr_contents.data[0]) {
retval = krb5_check_transited_list(context, &(trans->tr_contents),
realm,
krb5_princ_realm (context,
server));
}
}
#endif
if (retval) goto cleanup;
/* only check rcache if sender has provided one---some services
may not be able to use replay caches (such as datagram servers) */
if ((*auth_context)->rcache) {
krb5_donot_replay rep;
krb5_tkt_authent tktauthent;
tktauthent.ticket = req->ticket;
tktauthent.authenticator = (*auth_context)->authentp;
if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) {
retval = krb5_rc_store(context, (*auth_context)->rcache, &rep);
krb5_xfree(rep.server);
krb5_xfree(rep.client);
}
if (retval)
goto cleanup;
}
retval = krb5_validate_times(context, &req->ticket->enc_part2->times);
if (retval != 0)
goto cleanup;
if ((retval = krb5_timeofday(context, ¤ttime)))
goto cleanup;
if (!in_clock_skew((*auth_context)->authentp->ctime)) {
retval = KRB5KRB_AP_ERR_SKEW;
goto cleanup;
}
if (check_valid_flag) {
if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
retval = KRB5KRB_AP_ERR_TKT_INVALID;
goto cleanup;
}
}
/* check if the various etypes are permitted */
if ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) {
/* no etype check needed */;
} else if ((*auth_context)->permitted_etypes == NULL) {
int etype;
/* check against the default set */
if ((!krb5_is_permitted_enctype(context,
etype = req->ticket->enc_part.enctype)) ||
(!krb5_is_permitted_enctype(context,
etype = req->ticket->enc_part2->session->enctype)) ||
(((*auth_context)->authentp->subkey) &&
!krb5_is_permitted_enctype(context,
etype = (*auth_context)->authentp->subkey->enctype))) {
char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0)
krb5_set_error_message(context, retval,
"Encryption type %s not permitted",
enctype_name);
goto cleanup;
}
} else {
/* check against the set in the auth_context */
int i;
for (i=0; (*auth_context)->permitted_etypes[i]; i++)
if ((*auth_context)->permitted_etypes[i] ==
req->ticket->enc_part.enctype)
break;
if (!(*auth_context)->permitted_etypes[i]) {
char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
if (krb5_enctype_to_string(req->ticket->enc_part.enctype,
enctype_name, sizeof(enctype_name)) == 0)
krb5_set_error_message(context, retval,
"Encryption type %s not permitted",
enctype_name);
goto cleanup;
}
for (i=0; (*auth_context)->permitted_etypes[i]; i++)
if ((*auth_context)->permitted_etypes[i] ==
req->ticket->enc_part2->session->enctype)
break;
if (!(*auth_context)->permitted_etypes[i]) {
char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
if (krb5_enctype_to_string(req->ticket->enc_part2->session->enctype,
enctype_name, sizeof(enctype_name)) == 0)
krb5_set_error_message(context, retval,
"Encryption type %s not permitted",
enctype_name);
goto cleanup;
}
if ((*auth_context)->authentp->subkey) {
for (i=0; (*auth_context)->permitted_etypes[i]; i++)
if ((*auth_context)->permitted_etypes[i] ==
(*auth_context)->authentp->subkey->enctype)
break;
if (!(*auth_context)->permitted_etypes[i]) {
char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
if (krb5_enctype_to_string((*auth_context)->authentp->subkey->enctype,
enctype_name,
sizeof(enctype_name)) == 0)
krb5_set_error_message(context, retval,
"Encryption type %s not permitted",
enctype_name);
goto cleanup;
}
}
}
(*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number;
if ((*auth_context)->authentp->subkey) {
if ((retval = krb5_copy_keyblock(context,
(*auth_context)->authentp->subkey,
&((*auth_context)->recv_subkey))))
goto cleanup;
retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey,
&((*auth_context)->send_subkey));
if (retval) {
krb5_free_keyblock(context, (*auth_context)->recv_subkey);
(*auth_context)->recv_subkey = NULL;
goto cleanup;
}
} else {
(*auth_context)->recv_subkey = 0;
(*auth_context)->send_subkey = 0;
}
if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session,
&((*auth_context)->keyblock))))
goto cleanup;
/*
* If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used
* then the default sequence number is the one's complement of the
* sequence number sent ot us.
*/
if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) &&
(*auth_context)->remote_seq_number) {
(*auth_context)->local_seq_number ^=
(*auth_context)->remote_seq_number;
}
if (ticket)
if ((retval = krb5_copy_ticket(context, req->ticket, ticket)))
goto cleanup;
if (ap_req_options)
*ap_req_options = req->ap_options;
retval = 0;
cleanup:
if (server == &princ_data)
krb5_free_default_realm(context, princ_data.realm.data);
if (retval) {
/* only free if we're erroring out...otherwise some
applications will need the output. */
if (req->ticket->enc_part2)
krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
req->ticket->enc_part2 = NULL;
}
return retval;
}
