KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_free_authenticator(krb5_context context,
krb5_authenticator *authenticator)
{
free_Authenticator (*authenticator);
free (*authenticator);
*authenticator = NULL;
}
static krb5_error_code
tgs_check_authenticator(krb5_context context,
krb5_kdc_configuration *config,
krb5_auth_context ac,
KDC_REQ_BODY *b,
const char **e_text,
krb5_keyblock *key)
{
krb5_authenticator auth;
size_t len;
unsigned char *buf;
size_t buf_size;
krb5_error_code ret;
krb5_crypto crypto;
krb5_auth_con_getauthenticator(context, ac, &auth);
if(auth->cksum == NULL){
kdc_log(context, config, 0, "No authenticator in request");
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
}
/*
* according to RFC1510 it doesn't need to be keyed,
* but according to the latest draft it needs to.
*/
if (
#if 0
!krb5_checksum_is_keyed(context, auth->cksum->cksumtype)
||
#endif
!krb5_checksum_is_collision_proof(context, auth->cksum->cksumtype)) {
kdc_log(context, config, 0, "Bad checksum type in authenticator: %d",
auth->cksum->cksumtype);
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
}
/* XXX should not re-encode this */
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
if(ret){
kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s",
krb5_get_err_text(context, ret));
goto out;
}
if(buf_size != len) {
free(buf);
kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
*e_text = "KDC internal error";
ret = KRB5KRB_ERR_GENERIC;
goto out;
}
ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret) {
free(buf);
kdc_log(context, config, 0, "krb5_crypto_init failed: %s",
krb5_get_err_text(context, ret));
goto out;
}
ret = krb5_verify_checksum(context,
crypto,
KRB5_KU_TGS_REQ_AUTH_CKSUM,
buf,
len,
auth->cksum);
free(buf);
krb5_crypto_destroy(context, crypto);
if(ret){
kdc_log(context, config, 0,
"Failed to verify authenticator checksum: %s",
krb5_get_err_text(context, ret));
}
out:
free_Authenticator(auth);
free(auth);
return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_build_authenticator (krb5_context context,
krb5_auth_context auth_context,
krb5_enctype enctype,
krb5_creds *cred,
Checksum *cksum,
krb5_data *result,
krb5_key_usage usage)
{
Authenticator auth;
u_char *buf = NULL;
size_t buf_size;
size_t len = 0;
krb5_error_code ret;
krb5_crypto crypto;
memset(&auth, 0, sizeof(auth));
auth.authenticator_vno = 5;
copy_Realm(&cred->client->realm, &auth.crealm);
copy_PrincipalName(&cred->client->name, &auth.cname);
krb5_us_timeofday (context, &auth.ctime, &auth.cusec);
ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth.subkey);
if(ret)
goto fail;
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
if(auth_context->local_seqnumber == 0)
krb5_generate_seq_number (context,
&cred->session,
&auth_context->local_seqnumber);
ALLOC(auth.seq_number, 1);
if(auth.seq_number == NULL) {
ret = ENOMEM;
goto fail;
}
*auth.seq_number = auth_context->local_seqnumber;
} else
auth.seq_number = NULL;
auth.authorization_data = NULL;
if (cksum) {
ALLOC(auth.cksum, 1);
if (auth.cksum == NULL) {
ret = ENOMEM;
goto fail;
}
ret = copy_Checksum(cksum, auth.cksum);
if (ret)
goto fail;
if (auth.cksum->cksumtype == CKSUMTYPE_GSSAPI) {
/*
* This is not GSS-API specific, we only enable it for
* GSS for now
*/
ret = make_etypelist(context, &auth.authorization_data);
if (ret)
goto fail;
}
}
/* XXX - Copy more to auth_context? */
auth_context->authenticator->ctime = auth.ctime;
auth_context->authenticator->cusec = auth.cusec;
ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, &auth, &len, ret);
if (ret)
goto fail;
if(buf_size != len)
krb5_abortx(context, "internal error in ASN.1 encoder");
ret = krb5_crypto_init(context, &cred->session, enctype, &crypto);
if (ret)
goto fail;
ret = krb5_encrypt (context,
crypto,
usage /* KRB5_KU_AP_REQ_AUTH */,
buf,
len,
result);
krb5_crypto_destroy(context, crypto);
if (ret)
goto fail;
fail:
free_Authenticator (&auth);
free (buf);
return ret;
}
DWORD
VmKdcDecodeAuthenticator(
PVMKDC_DATA pData,
PVMKDC_AUTHENTICATOR *ppRetAuthenticator)
{
DWORD dwError = 0;
PVMKDC_AUTHENTICATOR pAuthenticator = NULL;
Authenticator heimAuth = {0};
unsigned char *authBufPtr = NULL;
size_t heimAuthLen = 0;
size_t authBufLen = 0;
authBufLen = VMKDC_GET_LEN_DATA(pData);
authBufPtr = (unsigned char *) VMKDC_GET_PTR_DATA(pData);
/*
* Decode the Authenticator into a Heimdal Authenticator structure.
*/
decode_Authenticator(authBufPtr, authBufLen, &heimAuth, &heimAuthLen);
if (heimAuthLen <= 0)
{
dwError = ERROR_PROTOCOL;
BAIL_ON_VMKDC_ERROR(dwError);
}
dwError = VmKdcAllocateMemory(sizeof(VMKDC_AUTHENTICATOR), (PVOID*)&pAuthenticator);
BAIL_ON_VMKDC_ERROR(dwError);
/* authenticator-vno */
pAuthenticator->authenticator_vno = heimAuth.authenticator_vno;
/* crealm, cname */
dwError = VmKdcMakePrincipal(heimAuth.crealm,
heimAuth.cname.name_string.len,
(PCSTR *)heimAuth.cname.name_string.val,
&pAuthenticator->cname);
BAIL_ON_VMKDC_ERROR(dwError);
/* cksum */
if (heimAuth.cksum)
{
/* TBD */
}
/* cusec */
pAuthenticator->cusec = heimAuth.cusec;
/* ctime */
pAuthenticator->ctime = heimAuth.ctime;
/* subkey */
if (heimAuth.subkey)
{
dwError = VmKdcMakeKey((VMKDC_KEYTYPE) heimAuth.subkey->keytype,
0,
(PUCHAR) heimAuth.subkey->keyvalue.data,
(DWORD) heimAuth.subkey->keyvalue.length,
&pAuthenticator->subkey);
BAIL_ON_VMKDC_ERROR(dwError);
}
/* seq-number */
if (heimAuth.seq_number)
{
/* TBD */
}
/* authorization_data */
if (heimAuth.authorization_data)
{
/* TBD */
}
*ppRetAuthenticator = pAuthenticator;
error:
if (dwError)
{
VMKDC_SAFE_FREE_AUTHENTICATOR(pAuthenticator);
}
free_Authenticator(&heimAuth);
return dwError;
}
