krb5_error_code
_krb5_init_tgs_req(krb5_context context,
krb5_ccache ccache,
krb5_addresses *addresses,
krb5_kdc_flags flags,
krb5_const_principal impersonate_principal,
Ticket *second_ticket,
krb5_creds *in_creds,
krb5_creds *krbtgt,
unsigned nonce,
METHOD_DATA *padata,
krb5_keyblock **subkey,
TGS_REQ *t)
{
krb5_auth_context ac = NULL;
krb5_error_code ret = 0;
/* inherit the forwardable/proxyable flags from the krbtgt */
flags.b.forwardable = krbtgt->flags.b.forwardable;
flags.b.proxiable = krbtgt->flags.b.proxiable;
if (ccache->ops->tgt_req) {
KERB_TGS_REQ_OUT out;
KERB_TGS_REQ_IN in;
memset(&in, 0, sizeof(in));
memset(&out, 0, sizeof(out));
ret = ccache->ops->tgt_req(context, ccache, &in, &out);
if (ret)
return ret;
free_KERB_TGS_REQ_OUT(&out);
return 0;
}
memset(t, 0, sizeof(*t));
if (impersonate_principal) {
krb5_crypto crypto;
PA_S4U2Self self;
krb5_data data;
void *buf;
size_t size, len;
self.name = impersonate_principal->name;
self.realm = impersonate_principal->realm;
self.auth = rk_UNCONST("Kerberos");
ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
if (ret)
goto fail;
ret = krb5_crypto_init(context, &krbtgt->session, 0, &crypto);
if (ret) {
krb5_data_free(&data);
goto fail;
}
ret = krb5_create_checksum(context,
crypto,
KRB5_KU_OTHER_CKSUM,
0,
data.data,
data.length,
&self.cksum);
krb5_crypto_destroy(context, crypto);
krb5_data_free(&data);
if (ret)
goto fail;
ASN1_MALLOC_ENCODE(PA_S4U2Self, buf, len, &self, &size, ret);
free_Checksum(&self.cksum);
if (ret)
goto fail;
if (len != size)
krb5_abortx(context, "internal asn1 error");
ret = krb5_padata_add(context, padata, KRB5_PADATA_FOR_USER, buf, len);
if (ret)
goto fail;
}
t->pvno = 5;
t->msg_type = krb_tgs_req;
if (in_creds->session.keytype) {
ALLOC_SEQ(&t->req_body.etype, 1);
if(t->req_body.etype.val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
t->req_body.etype.val[0] = in_creds->session.keytype;
} else {
ret = _krb5_init_etype(context,
KRB5_PDU_TGS_REQUEST,
&t->req_body.etype.len,
&t->req_body.etype.val,
NULL);
}
if (ret)
goto fail;
t->req_body.addresses = addresses;
t->req_body.kdc_options = flags.b;
ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
if (ret)
goto fail;
ALLOC(t->req_body.sname, 1);
if (t->req_body.sname == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
/* some versions of some code might require that the client be
present in TGS-REQs, but this is clearly against the spec */
ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
if (ret)
goto fail;
/* req_body.till should be NULL if there is no endtime specified,
but old MIT code (like DCE secd) doesn't like that */
ALLOC(t->req_body.till, 1);
if(t->req_body.till == NULL){
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
*t->req_body.till = in_creds->times.endtime;
t->req_body.nonce = nonce;
if(second_ticket){
ALLOC(t->req_body.additional_tickets, 1);
if (t->req_body.additional_tickets == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
ALLOC_SEQ(t->req_body.additional_tickets, 1);
if (t->req_body.additional_tickets->val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val);
if (ret)
goto fail;
}
ALLOC(t->padata, 1);
if (t->padata == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
ALLOC_SEQ(t->padata, 1 + padata->len);
if (t->padata->val == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
{
size_t i;
for (i = 0; i < padata->len; i++) {
ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
if (ret) {
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
}
}
ret = krb5_auth_con_init(context, &ac);
if(ret)
goto fail;
ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
if (ret)
goto fail;
ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
ac->local_subkey);
if (ret)
goto fail;
ret = make_pa_tgs_req(context,
ac,
&t->req_body,
&t->padata->val[0],
ccache,
krbtgt);
if(ret)
goto fail;
ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
if (ret)
goto fail;
fail:
if (ac)
krb5_auth_con_free(context, ac);
if (ret) {
t->req_body.addresses = NULL;
free_TGS_REQ (t);
}
return ret;
}
static krb5_error_code
make_etypelist(krb5_context context,
krb5_authdata **auth_data)
{
EtypeList etypes;
krb5_error_code ret;
krb5_authdata ad;
u_char *buf;
size_t len = 0;
size_t buf_size;
ret = _krb5_init_etype(context, KRB5_PDU_NONE,
&etypes.len, &etypes.val,
NULL);
if (ret)
return ret;
ASN1_MALLOC_ENCODE(EtypeList, buf, buf_size, &etypes, &len, ret);
if (ret) {
free_EtypeList(&etypes);
return ret;
}
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
free_EtypeList(&etypes);
ALLOC_SEQ(&ad, 1);
if (ad.val == NULL) {
free(buf);
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
ad.val[0].ad_type = KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION;
ad.val[0].ad_data.length = len;
ad.val[0].ad_data.data = buf;
ASN1_MALLOC_ENCODE(AD_IF_RELEVANT, buf, buf_size, &ad, &len, ret);
if (ret) {
free_AuthorizationData(&ad);
return ret;
}
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
free_AuthorizationData(&ad);
ALLOC(*auth_data, 1);
if (*auth_data == NULL) {
free(buf);
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
ALLOC_SEQ(*auth_data, 1);
if ((*auth_data)->val == NULL) {
free(*auth_data);
free(buf);
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
(*auth_data)->val[0].ad_type = KRB5_AUTHDATA_IF_RELEVANT;
(*auth_data)->val[0].ad_data.length = len;
(*auth_data)->val[0].ad_data.data = buf;
return 0;
}
static krb5_error_code
init_as_req (krb5_context context,
KDCOptions opts,
krb5_creds *creds,
const krb5_addresses *addrs,
const krb5_enctype *etypes,
const krb5_preauthtype *ptypes,
const krb5_preauthdata *preauth,
krb5_key_proc key_proc,
krb5_const_pointer keyseed,
unsigned nonce,
AS_REQ *a)
{
krb5_error_code ret;
krb5_salt salt;
memset(a, 0, sizeof(*a));
a->pvno = 5;
a->msg_type = krb_as_req;
a->req_body.kdc_options = opts;
a->req_body.cname = malloc(sizeof(*a->req_body.cname));
if (a->req_body.cname == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
a->req_body.sname = malloc(sizeof(*a->req_body.sname));
if (a->req_body.sname == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
if (ret)
goto fail;
ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
if (ret)
goto fail;
ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
if (ret)
goto fail;
if(creds->times.starttime) {
a->req_body.from = malloc(sizeof(*a->req_body.from));
if (a->req_body.from == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
*a->req_body.from = creds->times.starttime;
}
if(creds->times.endtime){
ALLOC(a->req_body.till, 1);
*a->req_body.till = creds->times.endtime;
}
if(creds->times.renew_till){
a->req_body.rtime = malloc(sizeof(*a->req_body.rtime));
if (a->req_body.rtime == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
*a->req_body.rtime = creds->times.renew_till;
}
a->req_body.nonce = nonce;
ret = _krb5_init_etype(context,
KRB5_PDU_AS_REQUEST,
&a->req_body.etype.len,
&a->req_body.etype.val,
etypes);
if (ret)
goto fail;
/*
* This means no addresses
*/
if (addrs && addrs->len == 0) {
a->req_body.addresses = NULL;
} else {
a->req_body.addresses = malloc(sizeof(*a->req_body.addresses));
if (a->req_body.addresses == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
if (addrs)
ret = krb5_copy_addresses(context, addrs, a->req_body.addresses);
else {
ret = krb5_get_all_client_addrs (context, a->req_body.addresses);
if(ret == 0 && a->req_body.addresses->len == 0) {
free(a->req_body.addresses);
a->req_body.addresses = NULL;
}
}
if (ret)
return ret;
}
a->req_body.enc_authorization_data = NULL;
a->req_body.additional_tickets = NULL;
if(preauth != NULL) {
size_t i;
ALLOC(a->padata, 1);
if(a->padata == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
a->padata->val = NULL;
a->padata->len = 0;
for(i = 0; i < preauth->len; i++) {
if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
size_t j;
for(j = 0; j < preauth->val[i].info.len; j++) {
krb5_salt *sp = &salt;
if(preauth->val[i].info.val[j].salttype)
salt.salttype = *preauth->val[i].info.val[j].salttype;
else
salt.salttype = KRB5_PW_SALT;
if(preauth->val[i].info.val[j].salt)
salt.saltvalue = *preauth->val[i].info.val[j].salt;
else
if(salt.salttype == KRB5_PW_SALT)
sp = NULL;
else
krb5_data_zero(&salt.saltvalue);
ret = add_padata(context, a->padata, creds->client,
key_proc, keyseed,
&preauth->val[i].info.val[j].etype, 1,
sp);
if (ret == 0)
break;
}
}
}
} else
/* not sure this is the way to use `ptypes' */
if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
a->padata = NULL;
else if (*ptypes == KRB5_PADATA_ENC_TIMESTAMP) {
ALLOC(a->padata, 1);
if (a->padata == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto fail;
}
a->padata->len = 0;
a->padata->val = NULL;
/* make a v5 salted pa-data */
add_padata(context, a->padata, creds->client,
key_proc, keyseed, a->req_body.etype.val,
a->req_body.etype.len, NULL);
/* make a v4 salted pa-data */
salt.salttype = KRB5_PW_SALT;
krb5_data_zero(&salt.saltvalue);
add_padata(context, a->padata, creds->client,
key_proc, keyseed, a->req_body.etype.val,
a->req_body.etype.len, &salt);
} else {
ret = KRB5_PREAUTH_BAD_TYPE;
krb5_set_error_message (context, ret,
N_("pre-auth type %d not supported", ""),
*ptypes);
goto fail;
}
return 0;
fail:
free_AS_REQ(a);
return ret;
}
static krb5_error_code
init_tgs_req (krb5_context context,
krb5_ccache ccache,
krb5_addresses *addresses,
krb5_kdc_flags flags,
Ticket *second_ticket,
krb5_creds *in_creds,
krb5_creds *krbtgt,
unsigned nonce,
const METHOD_DATA *padata,
krb5_keyblock **subkey,
TGS_REQ *t)
{
krb5_auth_context ac = NULL;
krb5_error_code ret = 0;
memset(t, 0, sizeof(*t));
t->pvno = 5;
t->msg_type = krb_tgs_req;
if (in_creds->session.keytype) {
ALLOC_SEQ(&t->req_body.etype, 1);
if(t->req_body.etype.val == NULL) {
ret = krb5_enomem(context);
goto fail;
}
t->req_body.etype.val[0] = in_creds->session.keytype;
} else {
ret = _krb5_init_etype(context,
KRB5_PDU_TGS_REQUEST,
&t->req_body.etype.len,
&t->req_body.etype.val,
NULL);
}
if (ret)
goto fail;
t->req_body.addresses = addresses;
t->req_body.kdc_options = flags.b;
t->req_body.kdc_options.forwardable = krbtgt->flags.b.forwardable;
t->req_body.kdc_options.renewable = krbtgt->flags.b.renewable;
t->req_body.kdc_options.proxiable = krbtgt->flags.b.proxiable;
ret = copy_Realm(&in_creds->server->realm, &t->req_body.realm);
if (ret)
goto fail;
ALLOC(t->req_body.sname, 1);
if (t->req_body.sname == NULL) {
ret = krb5_enomem(context);
goto fail;
}
/* some versions of some code might require that the client be
present in TGS-REQs, but this is clearly against the spec */
ret = copy_PrincipalName(&in_creds->server->name, t->req_body.sname);
if (ret)
goto fail;
if (krbtgt->times.starttime) {
ALLOC(t->req_body.from, 1);
if(t->req_body.from == NULL){
ret = krb5_enomem(context);
goto fail;
}
*t->req_body.from = in_creds->times.starttime;
}
/* req_body.till should be NULL if there is no endtime specified,
but old MIT code (like DCE secd) doesn't like that */
ALLOC(t->req_body.till, 1);
if(t->req_body.till == NULL){
ret = krb5_enomem(context);
goto fail;
}
*t->req_body.till = in_creds->times.endtime;
if (t->req_body.kdc_options.renewable && krbtgt->times.renew_till) {
ALLOC(t->req_body.rtime, 1);
if(t->req_body.rtime == NULL){
ret = krb5_enomem(context);
goto fail;
}
*t->req_body.rtime = in_creds->times.renew_till;
}
t->req_body.nonce = nonce;
if(second_ticket){
ALLOC(t->req_body.additional_tickets, 1);
if (t->req_body.additional_tickets == NULL) {
ret = krb5_enomem(context);
goto fail;
}
ALLOC_SEQ(t->req_body.additional_tickets, 1);
if (t->req_body.additional_tickets->val == NULL) {
ret = krb5_enomem(context);
goto fail;
}
ret = copy_Ticket(second_ticket, t->req_body.additional_tickets->val);
if (ret)
goto fail;
}
ALLOC(t->padata, 1);
if (t->padata == NULL) {
ret = krb5_enomem(context);
goto fail;
}
ALLOC_SEQ(t->padata, 1 + padata->len);
if (t->padata->val == NULL) {
ret = krb5_enomem(context);
goto fail;
}
{
size_t i;
for (i = 0; i < padata->len; i++) {
ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
if (ret) {
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto fail;
}
}
}
ret = krb5_auth_con_init(context, &ac);
if(ret)
goto fail;
ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
if (ret)
goto fail;
ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
ac->local_subkey);
if (ret)
goto fail;
ret = make_pa_tgs_req(context,
ac,
&t->req_body,
&t->padata->val[0],
krbtgt);
if(ret)
goto fail;
ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
if (ret)
goto fail;
fail:
if (ac)
krb5_auth_con_free(context, ac);
if (ret) {
t->req_body.addresses = NULL;
free_TGS_REQ (t);
}
return ret;
}
