From c4609275b0b00e06b99649872174eebe236dc403 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Sun, 11 Jan 2009 21:51:09 +0000 Subject: [PATCH] move _krb5_extract_ticket to ticket.c git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24296 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/krb5/get_in_tkt.c | 473 ------------------------------------------ 1 file changed, 473 deletions(-) diff --git a/lib/krb5/get_in_tkt.c b/lib/krb5/get_in_tkt.c index be9d21671..b82a0547d 100644 --- a/lib/krb5/get_in_tkt.c +++ b/lib/krb5/get_in_tkt.c @@ -38,479 +38,6 @@ RCSID("$Id$"); #undef __attribute__ #define __attribute__(x) -static krb5_error_code -check_server_referral(krb5_context context, - krb5_kdc_rep *rep, - unsigned flags, - krb5_const_principal requested, - krb5_const_principal returned, - krb5_keyblock * key) -{ - krb5_error_code ret; - PA_ServerReferralData ref; - krb5_crypto session; - EncryptedData ed; - size_t len; - krb5_data data; - PA_DATA *pa; - int i = 0, cmp; - - if (rep->kdc_rep.padata == NULL) - goto noreferral; - - pa = krb5_find_padata(rep->kdc_rep.padata->val, - rep->kdc_rep.padata->len, - KRB5_PADATA_SERVER_REFERRAL, &i); - if (pa == NULL) - goto noreferral; - - memset(&ed, 0, sizeof(ed)); - memset(&ref, 0, sizeof(ref)); - - ret = decode_EncryptedData(pa->padata_value.data, - pa->padata_value.length, - &ed, &len); - if (ret) - return ret; - if (len != pa->padata_value.length) { - free_EncryptedData(&ed); - krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, - N_("Referral EncryptedData wrong for realm %s", - "realm"), requested->realm); - return KRB5KRB_AP_ERR_MODIFIED; - } - - ret = krb5_crypto_init(context, key, 0, &session); - if (ret) { - free_EncryptedData(&ed); - return ret; - } - - ret = krb5_decrypt_EncryptedData(context, session, - KRB5_KU_PA_SERVER_REFERRAL, - &ed, &data); - free_EncryptedData(&ed); - krb5_crypto_destroy(context, session); - if (ret) - return ret; - - ret = decode_PA_ServerReferralData(data.data, data.length, &ref, &len); - if (ret) { - krb5_data_free(&data); - return ret; - } - krb5_data_free(&data); - - if (strcmp(requested->realm, returned->realm) != 0) { - free_PA_ServerReferralData(&ref); - krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, - N_("server ref realm mismatch, " - "requested realm %s got back %s", ""), - requested->realm, returned->realm); - return KRB5KRB_AP_ERR_MODIFIED; - } - - if (returned->name.name_string.len == 2 && - strcmp(returned->name.name_string.val[0], KRB5_TGS_NAME) == 0) - { - const char *realm = returned->name.name_string.val[1]; - - if (ref.referred_realm == NULL - || strcmp(*ref.referred_realm, realm) != 0) - { - free_PA_ServerReferralData(&ref); - krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, - N_("tgt returned with wrong ref", "")); - return KRB5KRB_AP_ERR_MODIFIED; - } - } else if (krb5_principal_compare(context, returned, requested) == 0) { - free_PA_ServerReferralData(&ref); - krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, - N_("req princ no same as returned", "")); - return KRB5KRB_AP_ERR_MODIFIED; - } - - if (ref.requested_principal_name) { - cmp = _krb5_principal_compare_PrincipalName(context, - requested, - ref.requested_principal_name); - if (!cmp) { - free_PA_ServerReferralData(&ref); - krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, - N_("referred principal not same " - "as requested", "")); - return KRB5KRB_AP_ERR_MODIFIED; - } - } else if (flags & EXTRACT_TICKET_AS_REQ) { - free_PA_ServerReferralData(&ref); - krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, - N_("Requested principal missing on AS-REQ", "")); - return KRB5KRB_AP_ERR_MODIFIED; - } - - free_PA_ServerReferralData(&ref); - - return ret; -noreferral: - if (krb5_principal_compare(context, requested, returned) == FALSE) { - krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, - N_("Not same server principal returned " - "as requested", "")); - return KRB5KRB_AP_ERR_MODIFIED; - } - return 0; -} - - -/* - * Verify referral data - */ - - -static krb5_error_code -check_client_referral(krb5_context context, - krb5_kdc_rep *rep, - krb5_const_principal requested, - krb5_const_principal mapped, - krb5_keyblock const * key) -{ - krb5_error_code ret; - PA_ClientCanonicalized canon; - krb5_crypto crypto; - krb5_data data; - PA_DATA *pa; - size_t len; - int i = 0; - - if (rep->kdc_rep.padata == NULL) - goto noreferral; - - pa = krb5_find_padata(rep->kdc_rep.padata->val, - rep->kdc_rep.padata->len, - KRB5_PADATA_CLIENT_CANONICALIZED, &i); - if (pa == NULL) - goto noreferral; - - ret = decode_PA_ClientCanonicalized(pa->padata_value.data, - pa->padata_value.length, - &canon, &len); - if (ret) { - krb5_set_error_message(context, ret, - N_("Failed to decode ClientCanonicalized " - "from realm %s", ""), requested->realm); - return ret; - } - - ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length, - &canon.names, &len, ret); - if (ret) { - free_PA_ClientCanonicalized(&canon); - return ret; - } - if (data.length != len) - krb5_abortx(context, "internal asn.1 error"); - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) { - free(data.data); - free_PA_ClientCanonicalized(&canon); - return ret; - } - - ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES, - data.data, data.length, - &canon.canon_checksum); - krb5_crypto_destroy(context, crypto); - free(data.data); - if (ret) { - krb5_set_error_message(context, ret, - N_("Failed to verify client canonicalized " - "data from realm %s", ""), - requested->realm); - free_PA_ClientCanonicalized(&canon); - return ret; - } - - if (!_krb5_principal_compare_PrincipalName(context, - requested, - &canon.names.requested_name)) - { - free_PA_ClientCanonicalized(&canon); - krb5_set_error_message(context, KRB5_PRINC_NOMATCH, - N_("Requested name doesn't match" - " in client referral", "")); - return KRB5_PRINC_NOMATCH; - } - if (!_krb5_principal_compare_PrincipalName(context, - mapped, - &canon.names.mapped_name)) - { - free_PA_ClientCanonicalized(&canon); - krb5_set_error_message(context, KRB5_PRINC_NOMATCH, - N_("Mapped name doesn't match" - " in client referral", "")); - return KRB5_PRINC_NOMATCH; - } - - return 0; - -noreferral: - if (krb5_principal_compare(context, requested, mapped) == FALSE) { - krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED, - N_("Not same client principal returned " - "as requested", "")); - return KRB5KRB_AP_ERR_MODIFIED; - } - return 0; -} - - -static krb5_error_code -decrypt_tkt (krb5_context context, - krb5_keyblock *key, - krb5_key_usage usage, - krb5_const_pointer decrypt_arg, - krb5_kdc_rep *dec_rep) -{ - krb5_error_code ret; - krb5_data data; - size_t size; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, key, 0, &crypto); - if (ret) - return ret; - - ret = krb5_decrypt_EncryptedData (context, - crypto, - usage, - &dec_rep->kdc_rep.enc_part, - &data); - krb5_crypto_destroy(context, crypto); - - if (ret) - return ret; - - ret = decode_EncASRepPart(data.data, - data.length, - &dec_rep->enc_part, - &size); - if (ret) - ret = decode_EncTGSRepPart(data.data, - data.length, - &dec_rep->enc_part, - &size); - krb5_data_free (&data); - if (ret) { - krb5_set_error_message(context, ret, - N_("Failed to decode encpart in ticket", "")); - return ret; - } - return 0; -} - -int -_krb5_extract_ticket(krb5_context context, - krb5_kdc_rep *rep, - krb5_creds *creds, - krb5_keyblock *key, - krb5_const_pointer keyseed, - krb5_key_usage key_usage, - krb5_addresses *addrs, - unsigned nonce, - unsigned flags, - krb5_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg) -{ - krb5_error_code ret; - krb5_principal tmp_principal; - size_t len; - time_t tmp_time; - krb5_timestamp sec_now; - - /* decrypt */ - - if (decrypt_proc == NULL) - decrypt_proc = decrypt_tkt; - - ret = (*decrypt_proc)(context, key, key_usage, decryptarg, rep); - if (ret) - goto out; - - /* save session key */ - - creds->session.keyvalue.length = 0; - creds->session.keyvalue.data = NULL; - creds->session.keytype = rep->enc_part.key.keytype; - ret = krb5_data_copy (&creds->session.keyvalue, - rep->enc_part.key.keyvalue.data, - rep->enc_part.key.keyvalue.length); - if (ret) { - krb5_clear_error_message(context); - goto out; - } - - /* compare client and save */ - ret = _krb5_principalname2krb5_principal (context, - &tmp_principal, - rep->kdc_rep.cname, - rep->kdc_rep.crealm); - if (ret) - goto out; - - /* check client referral and save principal */ - /* anonymous here ? */ - if((flags & EXTRACT_TICKET_ALLOW_CNAME_MISMATCH) == 0) { - ret = check_client_referral(context, rep, - creds->client, - tmp_principal, - &creds->session); - if (ret) { - krb5_free_principal (context, tmp_principal); - goto out; - } - } - krb5_free_principal (context, creds->client); - creds->client = tmp_principal; - - /* check server referral and save principal */ - ret = _krb5_principalname2krb5_principal (context, - &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); - if (ret) - goto out; - if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ - ret = check_server_referral(context, - rep, - flags, - creds->server, - tmp_principal, - &creds->session); - if (ret) { - krb5_free_principal (context, tmp_principal); - goto out; - } - } - krb5_free_principal(context, creds->server); - creds->server = tmp_principal; - - /* verify names */ - if(flags & EXTRACT_TICKET_MATCH_REALM){ - const char *srealm = krb5_principal_get_realm(context, creds->server); - const char *crealm = krb5_principal_get_realm(context, creds->client); - - if (strcmp(rep->enc_part.srealm, srealm) != 0 || - strcmp(rep->enc_part.srealm, crealm) != 0) - { - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_clear_error_message(context); - goto out; - } - } - - /* compare nonces */ - - if (nonce != rep->enc_part.nonce) { - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); - goto out; - } - - /* set kdc-offset */ - - krb5_timeofday (context, &sec_now); - if (rep->enc_part.flags.initial - && context->kdc_sec_offset == 0 - && krb5_config_get_bool (context, NULL, - "libdefaults", - "kdc_timesync", - NULL)) { - context->kdc_sec_offset = rep->enc_part.authtime - sec_now; - krb5_timeofday (context, &sec_now); - } - - /* check all times */ - - if (rep->enc_part.starttime) { - tmp_time = *rep->enc_part.starttime; - } else - tmp_time = rep->enc_part.authtime; - - if (creds->times.starttime == 0 - && abs(tmp_time - sec_now) > context->max_skew) { - ret = KRB5KRB_AP_ERR_SKEW; - krb5_set_error_message (context, ret, - N_("time skew (%d) larger than max (%d)", ""), - abs(tmp_time - sec_now), - (int)context->max_skew); - goto out; - } - - if (creds->times.starttime != 0 - && tmp_time != creds->times.starttime) { - krb5_clear_error_message (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - - creds->times.starttime = tmp_time; - - if (rep->enc_part.renew_till) { - tmp_time = *rep->enc_part.renew_till; - } else - tmp_time = 0; - - if (creds->times.renew_till != 0 - && tmp_time > creds->times.renew_till) { - krb5_clear_error_message (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - - creds->times.renew_till = tmp_time; - - creds->times.authtime = rep->enc_part.authtime; - - if (creds->times.endtime != 0 - && rep->enc_part.endtime > creds->times.endtime) { - krb5_clear_error_message (context); - ret = KRB5KRB_AP_ERR_MODIFIED; - goto out; - } - - creds->times.endtime = rep->enc_part.endtime; - - if(rep->enc_part.caddr) - krb5_copy_addresses (context, rep->enc_part.caddr, &creds->addresses); - else if(addrs) - krb5_copy_addresses (context, addrs, &creds->addresses); - else { - creds->addresses.len = 0; - creds->addresses.val = NULL; - } - creds->flags.b = rep->enc_part.flags; - - creds->authdata.len = 0; - creds->authdata.val = NULL; - - /* extract ticket */ - ASN1_MALLOC_ENCODE(Ticket, creds->ticket.data, creds->ticket.length, - &rep->kdc_rep.ticket, &len, ret); - if(ret) - goto out; - if (creds->ticket.length != len) - krb5_abortx(context, "internal error in ASN.1 encoder"); - creds->second_ticket.length = 0; - creds->second_ticket.data = NULL; - - -out: - memset (rep->enc_part.key.keyvalue.data, 0, - rep->enc_part.key.keyvalue.length); - return ret; -} - #ifndef HEIMDAL_SMALLER static krb5_error_code